Loading ...

Analysis Report svch0st.4553.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:106030
Start date:25.01.2019
Start time:10:50:28
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 28s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:svch0st.4553.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.spyw.evad.winEXE@228/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 6.3% (good quality ratio 6%)
  • Quality average: 63.8%
  • Quality standard deviation: 24.4%
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 65
  • Number of non-executed functions: 284
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold720 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Winlogon Helper DLLProcess Injection11Masquerading1Input Capture1Security Software Discovery121Application Deployment SoftwareInput Capture1Data CompressedStandard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection11Network SniffingFile and Directory Discovery11Remote ServicesData from Local System1Exfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureSystem Information Discovery223Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: svch0st.4553.exevirustotal: Detection: 38%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00428580 CryptReleaseContext,0_2_00428580
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00428650 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,0_2_00428650
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00427FC0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,0_2_00427FC0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00428120 CryptAcquireContextA,GetLastError,CryptReleaseContext,0_2_00428120
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004284F0 CryptGenRandom,__CxxThrowException@8,0_2_004284F0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004284B0 CryptReleaseContext,0_2_004284B0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00428580 CryptReleaseContext,2_2_00428580
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00428650 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,2_2_00428650
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00427FC0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,2_2_00427FC0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00428120 CryptAcquireContextA,GetLastError,CryptReleaseContext,2_2_00428120
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004284F0 CryptGenRandom,__CxxThrowException@8,2_2_004284F0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004284B0 CryptReleaseContext,2_2_004284B0

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00434E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_00434E4B
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00434E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_00434E2B
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00434EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,0_2_00434EAE
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0047F56B FindFirstFileExA,0_2_0047F56B
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00434E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,2_2_00434E4B
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00434E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,2_2_00434E2B
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00434EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,2_2_00434EAE
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0047F56B FindFirstFileExA,2_2_0047F56B
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003E7B60 __Xtime_get_ticks,Wow64DisableWow64FsRedirection,GetWindowsDirectoryW,std::locale::_Init,SHGetFolderPathW,SHGetFolderPathW,std::locale::_Init,SHGetFolderPathW,GetLogicalDriveStringsW,GetDriveTypeW,SetEvent,SHGetFolderPathW,Wow64RevertWow64FsRedirection,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CloseHandle,SetEvent,SetEvent,SetEvent,SetEvent,0_2_003E7B60

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: svch0st.4553.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: svch0st.4553.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: svch0st.4553.exeString found in binary or memory: http://ocsp.comodoca.com0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: svch0st.4553.exe, 00000000.00000002.4258435370.000000000050A000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

DDoS:

barindex
Too many similar processes foundShow sources
Source: svch0st.31937.exeProcess created: 98
Source: unknownProcess created: 129

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003F13F00_2_003F13F0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0042E0600_2_0042E060
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0040C0700_2_0040C070
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003E01500_2_003E0150
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0044E2050_2_0044E205
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004142200_2_00414220
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004702200_2_00470220
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0040C2800_2_0040C280
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003F63200_2_003F6320
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004463DA0_2_004463DA
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003EE4800_2_003EE480
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004024900_2_00402490
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0040C5000_2_0040C500
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004505FD0_2_004505FD
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003BE6200_2_003BE620
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003F13F00_2_003F13F0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003E67100_2_003E6710
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004107DB0_2_004107DB
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0042E9300_2_0042E930
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004109FF0_2_004109FF
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00472A320_2_00472A32
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003FEC300_2_003FEC30
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00410E490_2_00410E49
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003E6EA00_2_003E6EA0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00404FD00_2_00404FD0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004612610_2_00461261
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0044B27F0_2_0044B27F
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004112E30_2_004112E3
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004233E00_2_004233E0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004153A00_2_004153A0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0047D4090_2_0047D409
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0042F6100_2_0042F610
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0045F7A00_2_0045F7A0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003E97D00_2_003E97D0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003FF9000_2_003FF900
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0042F9C00_2_0042F9C0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0040FA450_2_0040FA45
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0040FA520_2_0040FA52
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0044BA650_2_0044BA65
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0045FA0B0_2_0045FA0B
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003E7B600_2_003E7B60
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0042DCA00_2_0042DCA0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003FDCD00_2_003FDCD0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00410E492_2_00410E49
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00404FD02_2_00404FD0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003F13F02_2_003F13F0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003F63202_2_003F6320
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003BE6202_2_003BE620
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0040C0702_2_0040C070
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004600272_2_00460027
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003E01502_2_003E0150
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004142202_2_00414220
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004702202_2_00470220
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004602EE2_2_004602EE
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0040C2802_2_0040C280
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0040C5002_2_0040C500
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004505FD2_2_004505FD
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004605A92_2_004605A9
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004107DB2_2_004107DB
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004109FF2_2_004109FF
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004612612_2_00461261
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004112E32_2_004112E3
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004153A02_2_004153A0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0047D4092_2_0047D409
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003E97D02_2_003E97D0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00469A162_2_00469A16
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0042DCA02_2_0042DCA0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003FDCD02_2_003FDCD0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0042E0602_2_0042E060
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0044E2052_2_0044E205
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004463DA2_2_004463DA
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003EE4802_2_003EE480
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004024902_2_00402490
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003F13F02_2_003F13F0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003E67102_2_003E6710
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0042E9302_2_0042E930
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00482A402_2_00482A40
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00472A322_2_00472A32
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003FEC302_2_003FEC30
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003E6EA02_2_003E6EA0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0044B27F2_2_0044B27F
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004233E02_2_004233E0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0042F6102_2_0042F610
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0045F7A02_2_0045F7A0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003FF9002_2_003FF900
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0042F9C02_2_0042F9C0
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0040FA452_2_0040FA45
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0040FA522_2_0040FA52
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0044BA652_2_0044BA65
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0045FA0B2_2_0045FA0B
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_003E7B602_2_003E7B60
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0045FD7D2_2_0045FD7D
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0042FE202_2_0042FE20
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0042BE302_2_0042BE30
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0040FE362_2_0040FE36
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0046BFAB2_2_0046BFAB
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: String function: 00447D7A appears 166 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: String function: 00447E90 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: String function: 003C4D00 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: String function: 00447DAE appears 68 times
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: String function: 00447D7A appears 152 times
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: String function: 00447E90 appears 55 times
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: String function: 003C4D00 appears 35 times
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: String function: 00447DAE appears 61 times
Sample file is different than original file name gathered from version infoShow sources
Source: svch0st.4553.exe, 00000000.00000000.4231540817.00000000004DA000.00000002.sdmpBinary or memory string: OriginalFilenameworker32> vs svch0st.4553.exe
Source: svch0st.4553.exeBinary or memory string: OriginalFilenameworker32> vs svch0st.4553.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeSection loaded: wow64log.dll
Classification labelShow sources
Source: classification engineClassification label: mal72.spyw.evad.winEXE@228/0@0/0
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0043540C GetDiskFreeSpaceExW,GetLastError,GetDiskFreeSpaceExW,GetLastError,0_2_0043540C
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003ED9B0 CoCreateInstance,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,0_2_003ED9B0
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCommand line argument: .nH0_2_00486D80
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCommand line argument: .nH2_2_00486D80
PE file has an executable .text section and no other executable sectionShow sources
Source: svch0st.4553.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: svch0st.4553.exevirustotal: Detection: 38%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\svch0st.4553.exe 'C:\Users\user\Desktop\svch0st.4553.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default User\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\Error.png'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\data_0'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\Warning.png'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\ie4uinit-UserConfig.log'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\ThirdPartyNotices.txt'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\12UGI5G9\BBPYIfz[1].jpg'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\E7CF176E110C211B\updates.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\E7CF176E110C211B\updates\last-update.log'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lb-lu\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\qml\QtQuick\Controls.2\ScrollBar.qml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lv\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\bn-IN\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\ca\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\6c4zjj0s.default\startupCache\startupCache.4.little'
Source: C:\Users\user\Desktop\svch0st.4553.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -wJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default User\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\Error.png'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\data_0'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\ie4uinit-UserConfig.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\Warning.png'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\ThirdPartyNotices.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\12UGI5G9\BBPYIfz[1].jpg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\E7CF176E110C211B\updates.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\E7CF176E110C211B\updates\last-update.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\qml\QtQuick\Controls.2\ScrollBar.qml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lb-lu\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lv\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\ca\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\bn-IN\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\6c4zjj0s.default\startupCache\startupCache.4.little'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lb-lu\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lv\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\bn-IN\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lb-lu\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lv\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\ca\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\data_0'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\6c4zjj0s.default\startupCache\startupCache.4.little'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: svch0st.4553.exeStatic file information: File size 1267728 > 1048576
PE file contains a mix of data directories often seen in goodwareShow sources
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: svch0st.4553.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: svch0st.4553.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: svch0st.4553.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: svch0st.4553.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: svch0st.4553.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: svch0st.4553.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0045673B LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0045673B
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00447D43 push ecx; ret 0_2_00447D56
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00447D43 push ecx; ret 2_2_00447D56
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00447ED6 push ecx; ret 2_2_00447EE9

Hooking and other Techniques for Hiding and Protection:

barindex
Moves itself to temp directoryShow sources
Source: c:\users\user\desktop\svch0st.4553.exeFile moved: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeJump to behavior
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004463DA GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004463DA

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\Default\Jump to behavior
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-74732
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-85215
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeAPI coverage: 3.6 %
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeAPI coverage: 5.1 %
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00434E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_00434E4B
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00434E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_00434E2B
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00434EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,0_2_00434EAE
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0047F56B FindFirstFileExA,0_2_0047F56B
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00434E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,2_2_00434E4B
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00434E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,2_2_00434E2B
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00434EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,2_2_00434EAE
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0047F56B FindFirstFileExA,2_2_0047F56B
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003E7B60 __Xtime_get_ticks,Wow64DisableWow64FsRedirection,GetWindowsDirectoryW,std::locale::_Init,SHGetFolderPathW,SHGetFolderPathW,std::locale::_Init,SHGetFolderPathW,GetLogicalDriveStringsW,GetDriveTypeW,SetEvent,SHGetFolderPathW,Wow64RevertWow64FsRedirection,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CloseHandle,SetEvent,SetEvent,SetEvent,SetEvent,0_2_003E7B60
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003B1000 GetSystemInfo,0_2_003B1000
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: svch0st.31937.exe, 00000002.00000002.4331305544.0000000003080000.00000002.sdmp, svch0st.31937.exe, 0000000D.00000002.4452996535.0000000002A90000.00000002.sdmp, svch0st.31937.exe, 0000000E.00000002.4471729261.0000000002950000.00000002.sdmp, svch0st.31937.exe, 0000000F.00000002.4483967355.0000000000B60000.00000002.sdmp, svch0st.31937.exe, 00000011.00000002.4525122721.0000000002510000.00000002.sdmp, svch0st.31937.exe, 00000016.00000002.4555605622.0000000003140000.00000002.sdmp, svch0st.31937.exe, 00000019.00000002.4588434185.00000000028E0000.00000002.sdmp, svch0st.31937.exe, 0000001A.00000002.4597397623.00000000010F0000.00000002.sdmp, svch0st.31937.exe, 0000001B.00000002.4626620566.0000000002F80000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svch0st.31937.exe, 00000002.00000002.4331305544.0000000003080000.00000002.sdmp, svch0st.31937.exe, 0000000D.00000002.4452996535.0000000002A90000.00000002.sdmp, svch0st.31937.exe, 0000000E.00000002.4471729261.0000000002950000.00000002.sdmp, svch0st.31937.exe, 0000000F.00000002.4483967355.0000000000B60000.00000002.sdmp, svch0st.31937.exe, 00000011.00000002.4525122721.0000000002510000.00000002.sdmp, svch0st.31937.exe, 00000016.00000002.4555605622.0000000003140000.00000002.sdmp, svch0st.31937.exe, 00000019.00000002.4588434185.00000000028E0000.00000002.sdmp, svch0st.31937.exe, 0000001A.00000002.4597397623.00000000010F0000.00000002.sdmp, svch0st.31937.exe, 0000001B.00000002.4626620566.0000000002F80000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svch0st.31937.exe, 00000002.00000002.4331305544.0000000003080000.00000002.sdmp, svch0st.31937.exe, 0000000D.00000002.4452996535.0000000002A90000.00000002.sdmp, svch0st.31937.exe, 0000000E.00000002.4471729261.0000000002950000.00000002.sdmp, svch0st.31937.exe, 0000000F.00000002.4483967355.0000000000B60000.00000002.sdmp, svch0st.31937.exe, 00000011.00000002.4525122721.0000000002510000.00000002.sdmp, svch0st.31937.exe, 00000016.00000002.4555605622.0000000003140000.00000002.sdmp, svch0st.31937.exe, 00000019.00000002.4588434185.00000000028E0000.00000002.sdmp, svch0st.31937.exe, 0000001A.00000002.4597397623.00000000010F0000.00000002.sdmp, svch0st.31937.exe, 0000001B.00000002.4626620566.0000000002F80000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svch0st.31937.exe, 00000002.00000002.4331305544.0000000003080000.00000002.sdmp, svch0st.31937.exe, 0000000D.00000002.4452996535.0000000002A90000.00000002.sdmp, svch0st.31937.exe, 0000000E.00000002.4471729261.0000000002950000.00000002.sdmp, svch0st.31937.exe, 0000000F.00000002.4483967355.0000000000B60000.00000002.sdmp, svch0st.31937.exe, 00000011.00000002.4525122721.0000000002510000.00000002.sdmp, svch0st.31937.exe, 00000016.00000002.4555605622.0000000003140000.00000002.sdmp, svch0st.31937.exe, 00000019.00000002.4588434185.00000000028E0000.00000002.sdmp, svch0st.31937.exe, 0000001A.00000002.4597397623.00000000010F0000.00000002.sdmp, svch0st.31937.exe, 0000001B.00000002.4626620566.0000000002F80000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0046755F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0046755F
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0045673B LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0045673B
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00473570 mov eax, dword ptr fs:[00000030h]0_2_00473570
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00473570 mov eax, dword ptr fs:[00000030h]2_2_00473570
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003C02B0 GetProcessHeap,HeapAlloc,0_2_003C02B0
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004480DE SetUnhandledExceptionFilter,0_2_004480DE
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00448133 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00448133
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0046755F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0046755F
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004480DE SetUnhandledExceptionFilter,2_2_004480DE
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00448133 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00448133
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0046755F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0046755F
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_00447F4B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00447F4B

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -wJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default User\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\Error.png'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\data_0'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\ie4uinit-UserConfig.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\Warning.png'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\ThirdPartyNotices.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\12UGI5G9\BBPYIfz[1].jpg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\E7CF176E110C211B\updates.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\E7CF176E110C211B\updates\last-update.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\qml\QtQuick\Controls.2\ScrollBar.qml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lb-lu\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lv\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\ca\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\bn-IN\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\6c4zjj0s.default\startupCache\startupCache.4.little'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lb-lu\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lv\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\bn-IN\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lb-lu\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lv\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\ca\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\data_0'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\6c4zjj0s.default\startupCache\startupCache.4.little'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: unknown unknownJump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\Error.png'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\data_0'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\Warning.png'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\ie4uinit-UserConfig.log'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\ThirdPartyNotices.txt'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\12UGI5G9\BBPYIfz[1].jpg'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\E7CF176E110C211B\updates.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\E7CF176E110C211B\updates\last-update.log'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lb-lu\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\qml\QtQuick\Controls.2\ScrollBar.qml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lv\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\bn-IN\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\ca\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\6c4zjj0s.default\startupCache\startupCache.4.little'
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\Error.png'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\data_0'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\ie4uinit-UserConfig.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\Warning.png'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\ThirdPartyNotices.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\12UGI5G9\BBPYIfz[1].jpg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\E7CF176E110C211B\updates.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\updates\E7CF176E110C211B\updates\last-update.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\qml\QtQuick\Controls.2\ScrollBar.qml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lb-lu\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lv\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\ca\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\bn-IN\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\6c4zjj0s.default\startupCache\startupCache.4.little'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lb-lu\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lv\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\bn-IN\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lb-lu\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lv\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\18.192.0920.0015\ca\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\data_0'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\6c4zjj0s.default\startupCache\startupCache.4.little'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.31937.exe C:\Users\user\AppData\Local\Temp\svch0st.31937.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_003B1080 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,0_2_003B1080
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: svch0st.31937.exe, 00000001.00000002.5508558189.00000000016F0000.00000002.sdmpBinary or memory string: Program Manager
Source: svch0st.31937.exe, 00000001.00000002.5508558189.00000000016F0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: svch0st.31937.exe, 00000001.00000002.5508558189.00000000016F0000.00000002.sdmpBinary or memory string: Progman
Source: svch0st.31937.exe, 00000001.00000002.5508558189.00000000016F0000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00481139
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: GetLocaleInfoW,0_2_00446CA9
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: ___crtGetLocaleInfoEx,0_2_00446DA2
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: EnumSystemLocalesW,0_2_004813FC
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: EnumSystemLocalesW,0_2_004813B1
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: EnumSystemLocalesW,0_2_00481497
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00481524
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: EnumSystemLocalesW,0_2_0047774F
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: GetLocaleInfoW,0_2_00481774
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0048189D
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: GetLocaleInfoW,0_2_004819A4
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00481A71
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: GetLocaleInfoW,0_2_00477C38
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00481139
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: EnumSystemLocalesW,2_2_004813FC
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: EnumSystemLocalesW,2_2_004813B1
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: EnumSystemLocalesW,2_2_00481497
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00481524
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: GetLocaleInfoW,2_2_00481774
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_0048189D
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: GetLocaleInfoW,2_2_004819A4
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00481A71
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: GetLocaleInfoW,2_2_00446CA9
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: ___crtGetLocaleInfoEx,2_2_00446DA2
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: EnumSystemLocalesW,2_2_0047774F
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: GetLocaleInfoW,2_2_00477C38
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004479DD cpuid 0_2_004479DD
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0044832E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0044832E
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0047EF62 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0047EF62
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_0044DF40 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,2_2_0044DF40
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\6c4zjj0s.default\startupCache\startupCache.4.little
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\data_0.lockedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\data_0Jump to behavior

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004586D3 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_004586D3
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_004593A5 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_004593A5
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004586D3 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,2_2_004586D3
Source: C:\Users\user\AppData\Local\Temp\svch0st.31937.exeCode function: 2_2_004593A5 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,2_2_004593A5

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 106030 Sample: svch0st.4553.exe Startdate: 25/01/2019 Architecture: WINDOWS Score: 72 22 Too many similar processes found 2->22 24 Multi AV Scanner detection for submitted file 2->24 7 svch0st.4553.exe 2->7         started        process3 signatures4 26 Moves itself to temp directory 7->26 10 svch0st.31937.exe 7->10         started        process5 signatures6 28 Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) 10->28 30 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->30 13 svch0st.31937.exe 10->13         started        16 svch0st.31937.exe 10->16         started        18 svch0st.31937.exe