Create Interactive Tour

Windows Analysis Report
psexesvc.exe

Overview

General Information

Sample Name:	psexesvc.exe
Analysis ID:	578219
MD5:	92ca6b9205a136e3dcbb06f2a60a241d
SHA1:	0222035d68dd34686234f407216d962a65729061
SHA256:	02dd88db1ea456b8bbbff5387090a72c590e6371c24c0756fcb7302d981bcb14
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

PE file contains an invalid checksum

Tries to load missing DLLs

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates files inside the system directory

Sample execution stops while process was sleeping (likely an evasion)

Queries disk information (often used to detect virtual machines)

Yara detected PsExec sysinternal tool

Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

cmd.exe (PID: 6476 cmdline: cmd /c sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe" >> C:\servicereg.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6636 cmdline: sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe" MD5: 24A3E2603E63BCB9695A2935D3B24695)

svchost.exe (PID: 6556 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cmd.exe (PID: 6804 cmdline: cmd /c sc start sCwjL >> C:\servicestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6856 cmdline: sc start sCwjL MD5: 24A3E2603E63BCB9695A2935D3B24695)

svchost.exe (PID: 7000 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7068 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7120 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 1408 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 384 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 6352 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 3828 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6280 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6428 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2768 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
psexesvc.exe	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe" , CommandLine: sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: cmd /c sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe" >> C:\servicereg.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6476, ProcessCommandLine: sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe" , ProcessId: 6636

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Boot Survival
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

Source: psexesvc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source:	Binary string: c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb source: psexesvc.exe
Source:	Binary string: [c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb source: psexesvc.exe

Source: Yara match

File source: psexesvc.exe, type: SAMPLE

Source: svchost.exe, 00000017.00000003.421480492.000002795E79B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-02-18T10:54:16.2391830Z\|\|.\|\|f842f17f-265e-493e-b583-ed2b9e6eabe5\|\|1152921505694521263\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000017.00000003.421480492.000002795E79B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-02-18T10:54:16.2391830Z\|\|.\|\|f842f17f-265e-493e-b583-ed2b9e6eabe5\|\|1152921505694521263\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 00000003.00000002.534100033.0000022B56264000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.438435856.000002795E700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: psexesvc.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000003.00000002.534042031.0000022B56212000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.438276580.000002795DEEA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000017.00000003.417229101.000002795E76A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417018614.000002795E78D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417158704.000002795E7BE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417004142.000002795E77D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417387458.000002795E7DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: psexesvc.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: psexesvc.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: psexesvc.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: psexesvc.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: svchost.exe, 0000000C.00000002.308595288.00000190E0C24000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000A.00000002.533590182.0000020972044000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.533590182.0000020972044000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.533590182.0000020972044000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.533540469.0000020972024000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.533540469.0000020972024000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000003.307660695.00000190E0C4B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308612138.00000190E0C3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.307140997.00000190E0C67000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.308646421.00000190E0C69000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.307504356.00000190E0C4D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.308624289.00000190E0C4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000003.285116329.00000190E0C31000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000002.308612138.00000190E0C3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.285116329.00000190E0C31000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.308616222.00000190E0C42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.308157667.00000190E0C41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.308616222.00000190E0C42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.308157667.00000190E0C41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.308619535.00000190E0C47000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.307962065.00000190E0C46000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.307899224.00000190E0C2C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000017.00000003.417229101.000002795E76A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417018614.000002795E78D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417158704.000002795E7BE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417004142.000002795E77D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417387458.000002795E7DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000C.00000003.307660695.00000190E0C4B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.308619535.00000190E0C47000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.307962065.00000190E0C46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.308619535.00000190E0C47000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.307962065.00000190E0C46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308102466.00000190E0C45000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308612138.00000190E0C3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.285116329.00000190E0C31000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.308612138.00000190E0C3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308595288.00000190E0C24000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.308612138.00000190E0C3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308102466.00000190E0C45000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308102466.00000190E0C45000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285116329.00000190E0C31000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308305619.00000190E0C3A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.285116329.00000190E0C31000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000003.307504356.00000190E0C4D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.308624289.00000190E0C4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000017.00000003.417229101.000002795E76A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417018614.000002795E78D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417158704.000002795E7BE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417004142.000002795E77D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417387458.000002795E7DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000017.00000003.417229101.000002795E76A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417018614.000002795E78D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417158704.000002795E7BE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417004142.000002795E77D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417387458.000002795E7DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000017.00000003.418332286.000002795E7CD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.418277242.000002795E7CD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.418395361.000002795E7B6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.418385671.000002795E795000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.418445400.000002795EC02000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: psexesvc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: psexesvc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\svchost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe" >> C:\servicereg.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start sCwjL >> C:\servicestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start sCwjL
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start sCwjL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6284:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01

Source: psexesvc.exe

String found in binary or memory: %s -install to install the service

Source: classification engine

Classification label: sus26.evad.winEXE@21/8@0/1

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: psexesvc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb source: psexesvc.exe
Source:	Binary string: [c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb source: psexesvc.exe

Source: psexesvc.exe

Static PE information: real checksum: 0x379ab should be: 0x362db

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe"

Source: C:\Windows\System32\svchost.exe TID: 6696	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6308	Thread sleep time: -90000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: svchost.exe, 00000003.00000002.534100033.0000022B56264000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $@Hyper-V RAW
Source: svchost.exe, 00000003.00000002.533572940.0000022B50A29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.534086122.0000022B5624C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.438276580.000002795DEEA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.438046871.000002795DE81000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.533590182.0000020972044000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.533600399.0000026E72229000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start sCwjL			Jump to behavior

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 0000000E.00000002.533526618.000001877C840000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: &@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.533583828.000001877C902000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: Yara match

File source: psexesvc.exe, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	31 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Service Execution	Logon Script (Windows)	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	Security Account Manager	21 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
psexesvc.exe	1%	Virustotal		Browse
psexesvc.exe	7%	ReversingLabs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000017.00000003.417229101.000002795E76A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417018614.000002795E78D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417158704.000002795E7BE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417004142.000002795E77D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417387458.000002795E7DC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000C.00000003.308102466.00000190E0C45000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000C.00000002.308612138.00000190E0C3E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000C.00000002.308612138.00000190E0C3E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000000C.00000003.307140997.00000190E0C67000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.308646421.00000190E0C69000.00000004.00000001.00020000.00000000.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000C.00000003.307504356.00000190E0C4D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.308624289.00000190E0C4E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	psexesvc.exe	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000C.00000002.308612138.00000190E0C3E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000000C.00000003.285116329.00000190E0C31000.00000004.00000001.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000C.00000003.308102466.00000190E0C45000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000003.00000002.534042031.0000022B56212000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.438276580.000002795DEEA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000C.00000002.308619535.00000190E0C47000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.307962065.00000190E0C46000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.307899224.00000190E0C2C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000017.00000003.418332286.000002795E7CD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.418277242.000002795E7CD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.418395361.000002795E7B6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.418385671.000002795E795000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.418445400.000002795EC02000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000C.00000002.308595288.00000190E0C24000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.308612138.00000190E0C3E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000C.00000002.308616222.00000190E0C42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.308157667.00000190E0C41000.00000004.00000001.00020000.00000000.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000A.00000002.533590182.0000020972044000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000C.00000003.307504356.00000190E0C4D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.308624289.00000190E0C4E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000C.00000003.285116329.00000190E0C31000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000C.00000003.307660695.00000190E0C4B000.00000004.00000001.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000C.00000003.285116329.00000190E0C31000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000C.00000002.308619535.00000190E0C47000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.307962065.00000190E0C46000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000017.00000003.417229101.000002795E76A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417018614.000002795E78D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417158704.000002795E7BE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417004142.000002795E77D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417387458.000002795E7DC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000C.00000003.285116329.00000190E0C31000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000C.00000002.308616222.00000190E0C42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.308157667.00000190E0C41000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	psexesvc.exe	false		high
https://dynamic.t	svchost.exe, 0000000C.00000003.308102466.00000190E0C45000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	false		high
https://disneyplus.com/legal.	svchost.exe, 00000017.00000003.417229101.000002795E76A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417018614.000002795E78D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417158704.000002795E7BE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417004142.000002795E77D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417387458.000002795E7DC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000C.00000003.308305619.00000190E0C3A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.285116329.00000190E0C31000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000C.00000002.308619535.00000190E0C47000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.307962065.00000190E0C46000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com	svchost.exe, 0000000A.00000002.533590182.0000020972044000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000C.00000002.308595288.00000190E0C24000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000C.00000003.307396743.00000190E0C60000.00000004.00000001.00020000.00000000.sdmp	false		high
http://help.disneyplus.com.	svchost.exe, 00000017.00000003.417229101.000002795E76A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417018614.000002795E78D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417158704.000002795E7BE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417004142.000002795E77D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.417387458.000002795E7DC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000C.00000002.308612138.00000190E0C3E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 0000000A.00000002.533590182.0000020972044000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000C.00000003.307660695.00000190E0C4B000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	578219
Start date:	24.02.2022
Start time:	14:41:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	psexesvc.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run as Windows Service
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus26.evad.winEXE@21/8@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.3.108.67, 20.54.104.15, 20.54.7.98
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
14:43:00	API Interceptor	9x Sleep call for process: svchost.exe modified
14:44:16	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24860590254674766
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU49:BJiRdwfu2SRU49
MD5:	488CCE55E7B4C039CBE08827DB7F96B6
SHA1:	74704682B5A8996B57B0FA3086401C849C26647B
SHA-256:	97D8990DF475AB779F3437785DA9AC58618E815D36C68F88DA9CC91019556DCA
SHA-512:	5FCD3258E9247F611B2465A69B2BF6EE9BCB620A99D478938C0BD0460A69F7A8E38C8E1B57D43887948A03E8C8B58F475B0670275DB88372C4A02584B0AF13EB
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x192e8387, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.25068575578262897
Encrypted:	false
SSDEEP:	384:0+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:LSB2nSB2RSjlK/+mLesOj1J2
MD5:	594E00DD0BCDB5C58695DA86A77F16D6
SHA1:	518B18FF43058B2C22CD2904989D0966DDDC9113
SHA-256:	F312C785494892D40C5F4162DB74A3BD6CD979CACBC6E4BA361B5ABF23894DD2
SHA-512:	3492F6A19A0C7D05F7EAAC2571D2C555FBAF2C9478A4986AD2163AB92388C99B0E640F5B141DF2EF2241C80DE4AAE825D002723FA9DD7ADB4CE6623199D718B4
Malicious:	false
Preview:	....... ................e.f.3...w........................&..........w...+...z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................="...+...z..................<.a.+...z..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0773841776560258
Encrypted:	false
SSDEEP:	3:Nv1EvkOzll+j8l/bJdAtiPVMnfs/toll3Vkttlmlnl:BQkORkj8t4vfp3
MD5:	194A48DB258889DFD57D17205D5CB128
SHA1:	6F2A7E7CA7EC06B550D6ECC121F57CBC6C85422D
SHA-256:	92F78A6953A30F69A2DD25908E8AE5432F9EBCB559BC78EDA63BDB7DA3157E8A
SHA-512:	D066ABDD7234234FB0604069A39632B66C42B343A19E74823BD8EB8DB97DD87A8508A804AC6304DE68419786754E35AEFFEF1CDEA628AAC2A31A1F739BC1D60C
Malicious:	false
Preview:	.........................................3...w...+...z.......w...............w.......w....:O.....w..................<.a.+...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.16705849956826
Encrypted:	false
SSDEEP:	192:cY+38+DJDD+iDtJC+iw3+gF+O5+6tw+EStN+Ej6+V:j+s+5D+Me+X+u+M+j+l+J+V
MD5:	BD8659F381D396A2E606F7C1BA0910EE
SHA1:	2C9CF4096BBB09EE17BD2A0DB00A7C75EF31DDB4
SHA-256:	FE94A218AE97278D410C57A351039C36B68B5DE58427B638E947D1FA54FF834F
SHA-512:	4912F6943CFDF5B798D5A2EEB223D68BAE0A11F823AFCF8516C56E618C6C4A241B8A8CBC4D465AD1997991E547EE0738C49A4F43365660D22F7FDE4A3C2AABE5
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220224_224312_304.etl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.325174241430371
Encrypted:	false
SSDEEP:	96:7bhCVUqe0NMwPo+a9U5BvY9P/YoPECj+xI2lEysk9Ht4bWXT2KjFzSNMCG6JRW:78FeJmwG2HHXjz2q5ONkgCxw
MD5:	661610ED28C83F449219DC6920162D09
SHA1:	6C7E576F40B1DD74EF8E1789B1FEF8E41DE7FFDA
SHA-256:	A0E869B76A96F7B516AC3EAA434CF3280725FD6B9BA6647FD6E4F125BE707839
SHA-512:	4A4ACCDF4D3920E5F9308E9163E66AF81F608333C52BC9B50BCA58200CD0A5365F5E739C3ED1D497B76C453390FF6702EB90CABEA5EEC3C6F8F02269D655BF3C
Malicious:	false
Preview:	.... ... ....................................... ...!...................................@........................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................N...=..... ......\|R..)..........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.2.2.4._.2.2.4.3.1.2._.3.0.4...e.t.l.........P.P.........@.......................................................................................................................................................................................................................................................................

C:\servicereg.log

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	28
Entropy (8bit):	3.678439190827718
Encrypted:	false
SSDEEP:	3:4A4AnXjzSv:4HAnXjg
MD5:	A8F4D690C5BDE96AD275C7D4ABE0E3D3
SHA1:	7C62C96EFD2CA4F3C3EBF0B24C9B5B4C04A4570A
SHA-256:	596CCC911C1772735AAC6A6B756A76D3D55BCECD006B980CF147090B2243FA7B
SHA-512:	A875EBE3C5CDF222FF9D08576F4D996AF827A1C86B3E758CE23F6B33530D512A82CE8E39E519837512080C6212A0A19B3385809BE5F5001C4E488DD79550B852
Malicious:	false
Preview:	[SC] CreateService SUCCESS..

C:\servicestart.log

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	42
Entropy (8bit):	4.452223530984379
Encrypted:	false
SSDEEP:	3:OEAAKzgeq:O5D3q
MD5:	2D04ED21A88B55EA5D30583305BB0F1E
SHA1:	0FA350715AE14A950D415916B0F8A4CCE50EBCA6
SHA-256:	0390DFC93CEEB7FF8B2BD8525D820A29EBBF2FC79F1C379EA77C9CAF169E966E
SHA-512:	C7276D9D5E3F6B33689CEA374037812B87EAC82ABE4B509E408AEBFF0481AFC6E873774EF285570F20D7EF41FE89E83F1A670F8854522A16B5BF163F651043CE
Malicious:	false
Preview:	[SC] StartService FAILED with error 193...

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.694958733664205
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	psexesvc.exe
File size:	196640
MD5:	92ca6b9205a136e3dcbb06f2a60a241d
SHA1:	0222035d68dd34686234f407216d962a65729061
SHA256:	02dd88db1ea456b8bbbff5387090a72c590e6371c24c0756fcb7302d981bcb14
SHA512:	291ce70e13e40dda049384158e5222be8c94f1b502afec496b920221ba1e280b8662b22f6d50054ff75ef3b49062b2002505154ec979b19cca9f86d44b84fefc
SSDEEP:	3072:Go75Rmi1WpS8bQ0ew7EMhk0PiwLTFYGJiqBERDFDlEIcxA0nKu+t+x9dJN:95RXMpS8fhkWLTFYoBQJl3u+sN
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........zr..............c.......c.......c..........+....c..G....I.......c......Rich............................PE..L.....8S...........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40985c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x533883A1 [Sun Mar 30 20:50:41 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	dc28047792e224060dad6968dfab7f3c

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F7194FC3D66h
jmp 00007F7194FBAB59h
mov edi, edi
push esi
push edi
xor esi, esi
mov edi, 0042D170h
cmp dword ptr [0042C37Ch+esi*8], 01h
jne 00007F7194FBACD0h
lea eax, dword ptr [0042C378h+esi*8]
mov dword ptr [eax], edi
push 00000FA0h
push dword ptr [eax]
add edi, 18h
call 00007F7194FC335Dh
pop ecx
pop ecx
test eax, eax
je 00007F7194FBACBEh
inc esi
cmp esi, 24h
jl 00007F7194FBAC84h
xor eax, eax
inc eax
pop edi
pop esi
ret
and dword ptr [0042C378h+esi*8], 00000000h
xor eax, eax
jmp 00007F7194FBACA3h
mov edi, edi
push ebx
mov ebx, dword ptr [004242F0h]
push esi
mov esi, 0042C378h
push edi
mov edi, dword ptr [esi]
test edi, edi
je 00007F7194FBACC5h
cmp dword ptr [esi+04h], 01h
je 00007F7194FBACBFh
push edi
call ebx
push edi
call 00007F7194FB8240h
and dword ptr [esi], 00000000h
pop ecx
add esi, 08h
cmp esi, 0042C498h
jl 00007F7194FBAC8Eh
mov esi, 0042C378h
pop edi
mov eax, dword ptr [esi]
test eax, eax
je 00007F7194FBACBBh
cmp dword ptr [esi+04h], 01h
jne 00007F7194FBACB5h
push eax
call ebx
add esi, 08h
cmp esi, 0042C498h
jl 00007F7194FBAC98h
pop esi
pop ebx
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push dword ptr [0042C378h+eax*8]
call dword ptr [004242C0h]
pop ebp
ret
push dword ptr [esp+04h]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a344	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f000	0x500	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2c200	0x2360	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x24420	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x29850	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x24000	0x3d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x22bb2	0x22c00	False	0.544099876349	data	6.56292204226	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x24000	0x7992	0x7a00	False	0.38354892418	data	5.41125066773	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2c000	0x22f64	0x1200	False	0.211805555556	data	2.27619381478	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x4f000	0x500	0x600	False	0.393229166667	data	4.4840822936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x4f0a0	0x304	data	English	United States
RT_MANIFEST	0x4f3a4	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
USERENV.dll	UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW, DestroyEnvironmentBlock
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
NETAPI32.dll	NetApiBufferFree, NetServerEnum
WS2_32.dll	WSAStartup, gethostname, inet_ntoa, gethostbyname
MPR.dll	WNetCancelConnection2W, WNetAddConnection2W
KERNEL32.dll	SetFilePointer, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, LCMapStringA, CreateEventW, InterlockedExchange, CreateFileA, RtlUnwind, GetConsoleCP, WideCharToMultiByte, GetStartupInfoA, GetFileType, SetHandleCount, SetConsoleCtrlHandler, FormatMessageW, SetThreadPriority, InterlockedIncrement, FlushFileBuffers, CreateNamedPipeW, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, WaitForMultipleObjects, TerminateProcess, GetExitCodeProcess, SetErrorMode, CreatePipe, SetHandleInformation, SetProcessAffinityMask, ResumeThread, DisconnectNamedPipe, GetProcessHeap, HeapAlloc, HeapFree, lstrlenW, ConnectNamedPipe, SetEvent, GetModuleFileNameW, GetVersion, GetCurrentProcess, SetEnvironmentVariableA, MultiByteToWideChar, GetComputerNameW, GetSystemDirectoryW, DeleteFileW, FindResourceW, LoadResource, SizeofResource, LockResource, GetConsoleScreenBufferInfo, LoadLibraryExW, FormatMessageA, GetStdHandle, FreeLibrary, CreateFileW, GetTickCount, Sleep, SetLastError, GetCurrentThread, GetLastError, WaitForSingleObject, CloseHandle, GetCommandLineW, LocalAlloc, GetModuleHandleW, WriteFile, ReadFile, LocalFree, SetPriorityClass, LoadLibraryW, GetProcAddress, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, HeapSize, GetLocaleInfoW, GetTimeZoneInformation, SetEndOfFile, CompareStringA, CompareStringW, LoadLibraryA, TlsFree, TlsSetValue, EnterCriticalSection, LeaveCriticalSection, ExitThread, GetCurrentThreadId, CreateThread, ReadConsoleInputA, SetConsoleMode, GetConsoleMode, PeekConsoleInputA, GetNumberOfConsoleInputEvents, ExitProcess, HeapReAlloc, GetCommandLineA, DeleteCriticalSection, FatalAppExitA, VirtualFree, VirtualAlloc, HeapCreate, HeapDestroy, GetModuleFileNameA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc
USER32.dll	CloseWindowStation, GetUserObjectSecurity, SetUserObjectSecurity, wsprintfW, DialogBoxIndirectParamW, CloseDesktop, GetSysColorBrush, EndDialog, SetWindowTextW, LoadCursorW, SetCursor, InflateRect, SendMessageW, OpenDesktopW, SetProcessWindowStation, OpenWindowStationW, GetProcessWindowStation, GetDlgItem
GDI32.dll	SetMapMode, StartDocW, StartPage, EndPage, EndDoc, GetDeviceCaps
COMDLG32.dll	PrintDlgW
ADVAPI32.dll	CryptAcquireContextW, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerW, SetServiceStatus, RegisterEventSourceW, ReportEventW, DeregisterEventSource, DuplicateTokenEx, LookupAccountNameW, LookupAccountSidW, CreateProcessAsUserW, SetEntriesInAclW, InitializeSecurityDescriptor, GetSecurityDescriptorDacl, GetAclInformation, EqualSid, SetSecurityDescriptorDacl, CopySid, IsValidSid, GetSidIdentifierAuthority, GetSidSubAuthorityCount, GetSidSubAuthority, OpenProcessToken, AdjustTokenPrivileges, LogonUserW, ImpersonateLoggedOnUser, RegConnectRegistryW, DeleteService, ControlService, OpenSCManagerW, OpenServiceW, StartServiceW, QueryServiceStatus, CreateServiceW, CloseServiceHandle, ImpersonateNamedPipeClient, OpenThreadToken, RevertToSelf, RegCreateKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, CryptCreateHash, CryptHashData, CryptDeriveKey, CryptGenKey, CryptExportKey, CryptImportKey, CryptEncrypt, CryptDecrypt, CryptReleaseContext, CryptDestroyKey, AllocateAndInitializeSid, GetTokenInformation, GetLengthSid, SetTokenInformation, GetSecurityInfo, InitializeAcl, GetAce, AddAce, AddAccessAllowedAce, SetSecurityInfo, FreeSid, LsaOpenPolicy, LsaEnumerateAccountRights, LookupPrivilegeValueW, LsaFreeMemory, LsaClose
SHELL32.dll	CommandLineToArgvW

Version Infos

Description	Data
LegalCopyright	Copyright 2001-2014 Mark Russinovich
InternalName	PsExec Service Host
FileVersion	2.11
CompanyName	Sysinternals
ProductName	Sysinternals PsExec
ProductVersion	2.11
FileDescription	PsExec Service
OriginalFilename	psexesvc.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• cmd.exe
• conhost.exe
• svchost.exe
• sc.exe
• cmd.exe
• conhost.exe
• sc.exe
• svchost.exe
• svchost.exe
• svchost.exe
• SgrmBroker.exe
• svchost.exe
• svchost.exe
• svchost.exe
• svchost.exe
• svchost.exe
• MpCmdRun.exe
• conhost.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• svchost.exe
• sc.exe
• cmd.exe
• conhost.exe
• sc.exe
• svchost.exe
• svchost.exe
• svchost.exe
• SgrmBroker.exe
• svchost.exe
• svchost.exe
• svchost.exe
• svchost.exe
• svchost.exe
• MpCmdRun.exe
• conhost.exe

Click to jump to process

Behavior

• cmd.exe
• conhost.exe
• svchost.exe
• sc.exe
• cmd.exe
• conhost.exe
• sc.exe
• svchost.exe
• svchost.exe
• svchost.exe
• SgrmBroker.exe
• svchost.exe
• svchost.exe
• svchost.exe
• svchost.exe
• svchost.exe
• MpCmdRun.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	14:42:59
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe" >> C:\servicereg.log 2>&1
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	14:43:00
Start date:	24/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	14:43:00
Start date:	24/02/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	14:43:00
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc create sCwjL binpath= "C:\Users\user\Desktop\psexesvc.exe"
Imagebase:	0x1080000
File size:	60928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	14:43:02
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c sc start sCwjL >> C:\servicestart.log 2>&1
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	14:43:02
Start date:	24/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	14:43:03
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc start sCwjL
Imagebase:	0x1080000
File size:	60928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	14:43:10
Start date:	24/02/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	14:43:11
Start date:	24/02/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	12
Start time:	14:43:12
Start date:	24/02/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	14:43:13
Start date:	24/02/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff6de5a0000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	14
Start time:	14:43:13
Start date:	24/02/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	15
Start time:	14:43:14
Start date:	24/02/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	17
Start time:	14:43:27
Start date:	24/02/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	18
Start time:	14:43:49
Start date:	24/02/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	23
Start time:	14:44:09
Start date:	24/02/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	25
Start time:	14:44:15
Start date:	24/02/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff654070000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	26
Start time:	14:44:15
Start date:	24/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report psexesvc.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

System Summary

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220224_224312_304.etl

C:\servicereg.log

C:\servicestart.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Windows Analysis Report
psexesvc.exe