Windows Analysis Report
http://amtso.eicar.org/PotentiallyUnwanted.exe

Overview

General Information

Sample URL: http://amtso.eicar.org/PotentiallyUnwanted.exe
Analysis ID: 1546341
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
HTTP GET or POST without a user agent
PE file contains an invalid checksum
PE file does not import any functions
PE file overlay found
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: /opt/package/joesandbox/database/analysis/1546341/temp/droppedscan/chromecache_78 Avira: detection malicious, Label: PUA/EICAR-Test-Signature.A
Source: C:\Users\user\Downloads\Unconfirmed 953330.crdownload Avira: detection malicious, Label: PUA/EICAR-Test-Signature.A
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe (copy) ReversingLabs: Detection: 86%
Source: C:\Users\user\Downloads\Unconfirmed 953330.crdownload ReversingLabs: Detection: 86%
Source: Chrome Cache Entry: 78 ReversingLabs: Detection: 86%
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.17:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.17:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.159.2:443 -> 192.168.2.17:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.23.209.130:443 -> 192.168.2.17:49721 version: TLS 1.2
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.17:49715
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.17:49705
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: global traffic HTTP traffic detected: GET /PotentiallyUnwanted.exe HTTP/1.1Host: amtso.eicar.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CzeDGtsYOg6vRMl&MD=fa3XeZZF HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CzeDGtsYOg6vRMl&MD=fa3XeZZF HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global traffic HTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: -240X-DeviceID: 01000A41090080B6X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAYmHDDRmyane8Fod1HC8VXZMGkU9AejSY1UyQblmBumTKuDI6Id4zhhGfGxqATtVnXS9XF11agZrpFTVEOSdZZ5YaEAUihSl0mI5E81FkfhXarzD9X7SJPfu4/jzv/zyyLY9g4OGWgy2odicFJBMZTfZV1izEcXJ/3PKNAtkXKhtprxWR0vQ0FkhNBTKPfQPf%2B0R1sRjP%2BQ7DpBCroG5i4%2BGyFg4qbUECwclOiGBBJqp8SZCuzcLoKRxPQTMkGVH5rzKd70EXTXDgP1rM4E4ifYHqWSSe1BW9nWHodlRvbXvEZGHygbPgqA8bfmZSw6xZbSY7kh0ASCkVg92NdodOiIQZgAAEMtbzXvQfnGRIi%2BMUCDFlK2wAZuRy29V6i435W16QOF/czggoermpHBXOuqnJwM3cS858K%2ByO5IjLOmHQr8NmB%2B1mbu6x3hl%2B8PoRRl9V6eXlUT3aZwbFPls%2BUoONip2w/lf1egysn71Y74p6DymO90nDStpkboNPPJvPgbaaJcB8KGXCiXJFaOnSXv33lYqpkaXmmpcpIFeizgjH/Q7YL8yMqLqvEagA/In7Ua/cw7dqlJdAsmBuRLsb8k/JREQmeGlJynLJc2HO4LGdS/viIDctGE7v/PkcLWCFf27Y0vV%2BkKf40sCuPByORubRpI9z1QeCP8wWlt0veIGJZ7pHVZbJkwVtaVcLwpJ6d7eWEMePLr3xa43kroVG7wLAgd/xh0HqW436y1N%2BeoCn6NH1vAjQPVFzgTehzsXiT7AeqNSkpyBdmrpHqI1Ij7%2BXm1AXQ%2BFZWLxiKm2td3GrxoZDIleeFy/UYVZhudeWzlFLZozSUd4VDAPjLBEANZZSM1DTpjE7TyvYdJ6bxi8JVL%2BSFDqhgtJwSsYwcS36IisWHOD0xKO71xoFWWDOME5Uvk8C6rwmIEYeyr2sdQkAusHUME0XdoB%26p%3DX-Agent-DeviceId: 01000A41090080B6X-BM-CBT: 1730399857User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: 89D4803490BE43838DD133B3B98DDBB0X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
Source: global traffic DNS traffic detected: DNS query: amtso.eicar.org
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: PotentiallyUnwanted.exe, 00000007.00000002.1802934021.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, PotentiallyUnwanted.exe, 00000007.00000002.1802934021.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, PotentiallyUnwanted.exe, 00000007.00000000.1165100131.0000000000A06000.00000002.00000001.01000000.00000004.sdmp, chromecache_78.1.dr, Unconfirmed 953330.crdownload.0.dr String found in binary or memory: http://www.amtso.org/feature-settings-check.html
Source: Taskmgr.exe, 0000001A.00000003.1833023391.000002282DDB7000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1831145249.000002282DDB7000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.17:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.17:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.159.2:443 -> 192.168.2.17:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.23.209.130:443 -> 192.168.2.17:49721 version: TLS 1.2
PE file does not import any functions
Source: 0ef1f9d5-2a2c-4596-ae0d-720967c37bbd.tmp.0.dr Static PE information: No import functions for PE file found
PE file overlay found
Source: 0ef1f9d5-2a2c-4596-ae0d-720967c37bbd.tmp.0.dr Static PE information: Data appended to the last section found
Source: classification engine Classification label: mal56.win@24/14@6/4
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b
Source: C:\Windows\System32\Taskmgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3540:120:WilError_03
Source: C:\Windows\System32\Taskmgr.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://amtso.eicar.org/PotentiallyUnwanted.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Users\user\Downloads\PotentiallyUnwanted.exe "C:\Users\user\Downloads\PotentiallyUnwanted.exe"
Source: unknown Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /0
Source: unknown Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Users\user\Downloads\PotentiallyUnwanted.exe "C:\Users\user\Downloads\PotentiallyUnwanted.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09c5dd34-009d-40fa-bcb9-0165ad0c15d4}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Windows\System32\Taskmgr.exe Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
PE file contains an invalid checksum
Source: Unconfirmed 953330.crdownload.0.dr Static PE information: real checksum: 0xb28f should be: 0xbc9b
Source: chromecache_78.1.dr Static PE information: real checksum: 0xb28f should be: 0xbc9b
Source: 0ef1f9d5-2a2c-4596-ae0d-720967c37bbd.tmp.0.dr Static PE information: real checksum: 0xb28f should be: 0x8396
Drops PE files
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\0ef1f9d5-2a2c-4596-ae0d-720967c37bbd.tmp Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\Unconfirmed 953330.crdownload Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 78 Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\PotentiallyUnwanted.exe (copy) Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 78
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 78 Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\Taskmgr.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DDFC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes!
Source: Taskmgr.exe, 0000001A.00000002.1836956928.000002282DE01000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828217217.000002282DDFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000001A.00000003.1831145249.000002282DD7C000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DD7C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000001A.00000003.1828217217.000002282DDFF000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DDFC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor8
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE7E000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE7C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service"
Source: Taskmgr.exe, 0000001A.00000003.1832249709.0000022829BC2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}(
Source: Taskmgr.exe, 0000001A.00000003.1767398235.000002282DEBA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Ha
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE30000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :Hyper-V Data Exchange ServiceH
Source: Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE77000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisori
Source: Taskmgr.exe, 0000001A.00000003.1772231746.000002282DFEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE79000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE38000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000001A.00000003.1772371172.000002282DF0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot$$
Source: Taskmgr.exe, 0000001A.00000002.1836722992.000002282DDE2000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE7C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processori
Source: Taskmgr.exe, 0000001A.00000003.1828217217.000002282DDFF000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DDFC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partitionp!
Source: Taskmgr.exe, 0000001A.00000003.1828217217.000002282DDFF000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DDFC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partitionpv
Source: Taskmgr.exe, 0000001A.00000003.1828217217.000002282DE29000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1833305286.000002282DE29000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V Heartbeat ServiceVen_VM
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE38000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE40000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V pkrutanenxkxbsm Bus Pipes
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (Spatial Data Service&Ven_VMware
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorsys
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE5E000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE5E000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionriv
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE38000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE44000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processord{
Source: Taskmgr.exe, 0000001A.00000003.1771970940.000002282E027000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: Taskmgr.exe, 0000001A.00000003.1767349527.000002282DFE1000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1767542501.000002282DF23000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flu
Source: Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE7C000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DD3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk SCSI Disk Device0
Source: Taskmgr.exe, 0000001A.00000003.1828217217.000002282DDFF000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DDFC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: Taskmgr.exe, 0000001A.00000003.1832554946.000002282DE31000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE30000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828217217.000002282DE31000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >Hyper-V Guest Service Interface
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE48000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ZHyper-V Remote Desktop Virtualization Service+
Source: Taskmgr.exe, 0000001A.00000003.1831145249.000002282DDA7000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V pkrutanenxkxbsm BusE
Source: Taskmgr.exe, 0000001A.00000003.1832554946.000002282DE31000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE30000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828217217.000002282DE31000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BHyper-V PowerShell Direct Service
Source: Taskmgr.exe, 0000001A.00000002.1836722992.000002282DDE2000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root PartitioneK
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicshutdownb3c
Source: Taskmgr.exe, 0000001A.00000002.1836722992.000002282DDE2000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827886166.000002282DDEC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: Taskmgr.exe, 0000001A.00000003.1767640689.000002282DEC9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: Taskmgr.exe, 0000001A.00000003.1832554946.000002282DE3B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE38000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HHyper-V Time Synchronization Service
Source: Taskmgr.exe, 0000001A.00000002.1836722992.000002282DDE2000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: Taskmgr.exe, 0000001A.00000002.1836722992.000002282DDE2000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition2K
Source: Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE7C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000001A.00000003.1832554946.000002282DE3B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE38000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HHyper-V Volume Shadow Copy Requestor
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration ServiceA
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE30000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <Hyper-V Guest Shutdown Servicez
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE58000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE58000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0Shell Hardware Detection_VMware
Queries the installation date of Windows
Source: C:\Windows\System32\Taskmgr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\AppIcon.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546341 URL: http://amtso.eicar.org/Pote... Startdate: 31/10/2024 Architecture: WINDOWS Score: 56 40 Antivirus detection for dropped file 2->40 42 Multi AV Scanner detection for dropped file 2->42 6 chrome.exe 23 2->6         started        10 Taskmgr.exe 1 14 2->10         started        12 chrome.exe 2->12         started        14 Taskmgr.exe 2->14         started        process3 dnsIp4 36 192.168.2.17, 138, 443, 49672 unknown unknown 6->36 38 239.255.255.250 unknown Reserved 6->38 26 C:\Users\...\Unconfirmed 953330.crdownload, PE32 6->26 dropped 28 C:\Users\...\PotentiallyUnwanted.exe (copy), PE32 6->28 dropped 30 0ef1f9d5-2a2c-4596-ae0d-720967c37bbd.tmp, PE32 6->30 dropped 16 chrome.exe 6->16         started        20 chrome.exe 6->20         started        22 PotentiallyUnwanted.exe 6->22         started        file5 process6 dnsIp7 32 amtso.eicar.org 81.7.7.163, 443, 49700, 49701 ISPPRO-ASISPPRO-AScoversthenetworksofISPproDE Germany 16->32 34 www.google.com 142.250.185.196, 443, 49704, 49723 GOOGLEUS United States 16->34 24 Chrome Cache Entry: 78, PE32 16->24 dropped file8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.185.196
 www.google.com United States
15169 GOOGLEUS false
81.7.7.163
 amtso.eicar.org Germany
35366 ISPPRO-ASISPPRO-AScoversthenetworksofISPproDE false

Private

IP
192.168.2.17

Contacted Domains

Name IP Active
www.google.com 142.250.185.196 true
amtso.eicar.org 81.7.7.163 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://amtso.eicar.org/PotentiallyUnwanted.exe false
    		unknown