Loading ...

Analysis Report svch0st.4553.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:106937
Start date:29.01.2019
Start time:09:40:46
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 15s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:svch0st.4553.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.winEXE@223/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 12.5% (good quality ratio 11.9%)
  • Quality average: 63.6%
  • Quality standard deviation: 24.6%
HCA Information:
  • Successful, ratio: 89%
  • Number of executed functions: 62
  • Number of non-executed functions: 294
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold600 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Winlogon Helper DLLProcess Injection11Masquerading1Input Capture1Security Software Discovery21Application Deployment SoftwareInput Capture1Data CompressedStandard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection11Network SniffingFile and Directory Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureSystem Information Discovery23Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: svch0st.4553.exevirustotal: Detection: 60%Perma Link
Source: svch0st.4553.exemetadefender: Detection: 27%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001F8580 CryptReleaseContext,0_2_001F8580
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001F8650 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,0_2_001F8650
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001F7FC0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,0_2_001F7FC0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001F8120 CryptAcquireContextA,GetLastError,CryptReleaseContext,0_2_001F8120
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001F84B0 CryptReleaseContext,0_2_001F84B0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001F84F0 CryptGenRandom,__CxxThrowException@8,0_2_001F84F0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001F8580 CryptReleaseContext,5_2_001F8580
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001F8650 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,5_2_001F8650
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001F7FC0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,5_2_001F7FC0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001F8120 CryptAcquireContextA,GetLastError,CryptReleaseContext,5_2_001F8120
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001F84B0 CryptReleaseContext,5_2_001F84B0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001F84F0 CryptGenRandom,__CxxThrowException@8,5_2_001F84F0

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00204E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_00204E2B
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00204E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_00204E4B
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00204EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,0_2_00204EAE
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0024F56B FindFirstFileExA,0_2_0024F56B
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00204E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,5_2_00204E2B
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00204E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,5_2_00204E4B
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00204EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,5_2_00204EAE
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_0024F56B FindFirstFileExA,5_2_0024F56B
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001B7B60 __Xtime_get_ticks,Wow64DisableWow64FsRedirection,GetWindowsDirectoryW,std::locale::_Init,SHGetFolderPathW,SHGetFolderPathW,std::locale::_Init,SHGetFolderPathW,GetLogicalDriveStringsW,GetDriveTypeW,SetEvent,SHGetFolderPathW,Wow64RevertWow64FsRedirection,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CloseHandle,SetEvent,SetEvent,SetEvent,SetEvent,5_2_001B7B60

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: svch0st.4553.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: svch0st.4553.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: svch0st.4553.exeString found in binary or memory: http://ocsp.comodoca.com0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: svch0st.4553.exe, 00000000.00000002.4790701358.00000000014D0000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

DDoS:

barindex
Too many similar processes foundShow sources
Source: unknownProcess created: 136
Source: svch0st.4158.exeProcess created: 86

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001C13F00_2_001C13F0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001DC0700_2_001DC070
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001FE0600_2_001FE060
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001B01500_2_001B0150
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_002402200_2_00240220
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0021E2050_2_0021E205
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001E42200_2_001E4220
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001DC2800_2_001DC280
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001C63200_2_001C6320
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001D24900_2_001D2490
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001BE4800_2_001BE480
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001DC5000_2_001DC500
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_002205FD0_2_002205FD
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0018E6200_2_0018E620
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001B67100_2_001B6710
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001E07DB0_2_001E07DB
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001FE9300_2_001FE930
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00242A320_2_00242A32
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001CEC300_2_001CEC30
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001E0E490_2_001E0E49
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001B6EA00_2_001B6EA0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001D4FD00_2_001D4FD0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_002312610_2_00231261
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0021B27F0_2_0021B27F
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001E53A00_2_001E53A0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001F33E00_2_001F33E0
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0024D4090_2_0024D409
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001FF6100_2_001FF610
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0022F7A00_2_0022F7A0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_0018E6205_2_0018E620
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001E0E495_2_001E0E49
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001D4FD05_2_001D4FD0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001C13F05_2_001C13F0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001DC0705_2_001DC070
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001FE0605_2_001FE060
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001B01505_2_001B0150
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_002402205_2_00240220
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_0021E2055_2_0021E205
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001E42205_2_001E4220
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001DC2805_2_001DC280
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001C63205_2_001C6320
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_002163DA5_2_002163DA
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001D24905_2_001D2490
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001BE4805_2_001BE480
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001DC5005_2_001DC500
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_002205FD5_2_002205FD
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001C13F05_2_001C13F0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001B67105_2_001B6710
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001E07DB5_2_001E07DB
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001FE9305_2_001FE930
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001E09FF5_2_001E09FF
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00242A325_2_00242A32
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001CEC305_2_001CEC30
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001B6EA05_2_001B6EA0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_002312615_2_00231261
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_0021B27F5_2_0021B27F
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001E12E35_2_001E12E3
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001E53A05_2_001E53A0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001F33E05_2_001F33E0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_0024D4095_2_0024D409
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001FF6105_2_001FF610
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_0022F7A05_2_0022F7A0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001B97D05_2_001B97D0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001CF9005_2_001CF900
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001FF9C05_2_001FF9C0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_0022FA0B5_2_0022FA0B
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_0021BA655_2_0021BA65
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001DFA525_2_001DFA52
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001DFA455_2_001DFA45
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001B7B605_2_001B7B60
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001FDCA05_2_001FDCA0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001CDCD05_2_001CDCD0
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001DFE365_2_001DFE36
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001FBE305_2_001FBE30
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001FFE205_2_001FFE20
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: String function: 00217E90 appears 47 times
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: String function: 00217D7A appears 108 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: String function: 00194D00 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: String function: 00217E90 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: String function: 00217D7A appears 162 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: String function: 00217DAE appears 68 times
Sample file is different than original file name gathered from version infoShow sources
Source: svch0st.4553.exe, 00000000.00000002.4788162317.00000000002AA000.00000002.sdmpBinary or memory string: OriginalFilenameworker32> vs svch0st.4553.exe
Source: svch0st.4553.exeBinary or memory string: OriginalFilenameworker32> vs svch0st.4553.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeSection loaded: wow64log.dll
Classification labelShow sources
Source: classification engineClassification label: mal60.winEXE@223/0@0/0
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0020540C GetDiskFreeSpaceExW,GetLastError,GetDiskFreeSpaceExW,GetLastError,0_2_0020540C
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001BD9B0 CoCreateInstance,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,5_2_001BD9B0
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCommand line argument: .n%0_2_00256D80
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCommand line argument: .n%5_2_00256D80
PE file has an executable .text section and no other executable sectionShow sources
Source: svch0st.4553.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: svch0st.4553.exevirustotal: Detection: 60%
Source: svch0st.4553.exemetadefender: Detection: 27%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\svch0st.4553.exe 'C:\Users\user\Desktop\svch0st.4553.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT.LOG1'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Jay Jay Hammer\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\Local\Microsoft\Office\OTele\officehubwin32.exe.db.session'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Public\Libraries\RecordedTV.library-ms'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Color\Profiles\wsRGB.icc'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\AcroFnt19.lst'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\OneDrive.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2764.tmp'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.log'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.chk'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UPPS\UPPS.bin'
Source: C:\Users\user\Desktop\svch0st.4553.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -wJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Jay Jay Hammer\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\Local\Microsoft\Office\OTele\officehubwin32.exe.db.session'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Public\Libraries\RecordedTV.library-ms'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Color\Profiles\wsRGB.icc'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\AcroFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\OneDrive.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2764.tmp'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.chk'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UPPS\UPPS.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\AcroFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\OneDrive.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UPPS\UPPS.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Public\Libraries\RecordedTV.library-ms'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UPPS\UPPS.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents'Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: svch0st.4553.exeStatic file information: File size 1267728 > 1048576
PE file contains a mix of data directories often seen in goodwareShow sources
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: svch0st.4553.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: svch0st.4553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: svch0st.4553.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: svch0st.4553.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: svch0st.4553.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: svch0st.4553.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: svch0st.4553.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0022673B LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0022673B
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00217D43 push ecx; ret 5_2_00217D56
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00217ED6 push ecx; ret 5_2_00217EE9

Hooking and other Techniques for Hiding and Protection:

barindex
Moves itself to temp directoryShow sources
Source: c:\users\user\desktop\svch0st.4553.exeFile moved: C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exeJump to behavior
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_002163DA GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_002163DA
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeFile opened: C:\Documents and Settings\Default\Jump to behavior
Found evasive API chain (date check)Show sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-80929
Source: C:\Users\user\Desktop\svch0st.4553.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-52135
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeAPI coverage: 4.0 %
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeAPI coverage: 5.0 %
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00204E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_00204E2B
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00204E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_00204E4B
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00204EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,0_2_00204EAE
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0024F56B FindFirstFileExA,0_2_0024F56B
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00204E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,5_2_00204E2B
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00204E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,5_2_00204E4B
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00204EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,5_2_00204EAE
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_0024F56B FindFirstFileExA,5_2_0024F56B
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_001B7B60 __Xtime_get_ticks,Wow64DisableWow64FsRedirection,GetWindowsDirectoryW,std::locale::_Init,SHGetFolderPathW,SHGetFolderPathW,std::locale::_Init,SHGetFolderPathW,GetLogicalDriveStringsW,GetDriveTypeW,SetEvent,SHGetFolderPathW,Wow64RevertWow64FsRedirection,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CloseHandle,SetEvent,SetEvent,SetEvent,SetEvent,5_2_001B7B60
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00181000 GetSystemInfo,0_2_00181000
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: svch0st.4158.exe, 00000005.00000002.4808388071.0000000002820000.00000002.sdmp, svch0st.4158.exe, 0000001B.00000002.5065482819.0000000002DB0000.00000002.sdmp, svch0st.4158.exe, 0000001C.00000002.5053280563.0000000003220000.00000002.sdmp, svch0st.4158.exe, 00000023.00000002.5127905674.00000000027F0000.00000002.sdmp, svch0st.4158.exe, 00000024.00000002.5142210423.0000000002600000.00000002.sdmp, svch0st.4158.exe, 00000025.00000002.5178454573.00000000027E0000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svch0st.4158.exe, 00000005.00000002.4808388071.0000000002820000.00000002.sdmp, svch0st.4158.exe, 0000001B.00000002.5065482819.0000000002DB0000.00000002.sdmp, svch0st.4158.exe, 0000001C.00000002.5053280563.0000000003220000.00000002.sdmp, svch0st.4158.exe, 00000023.00000002.5127905674.00000000027F0000.00000002.sdmp, svch0st.4158.exe, 00000024.00000002.5142210423.0000000002600000.00000002.sdmp, svch0st.4158.exe, 00000025.00000002.5178454573.00000000027E0000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svch0st.4158.exe, 00000005.00000002.4808388071.0000000002820000.00000002.sdmp, svch0st.4158.exe, 0000001B.00000002.5065482819.0000000002DB0000.00000002.sdmp, svch0st.4158.exe, 0000001C.00000002.5053280563.0000000003220000.00000002.sdmp, svch0st.4158.exe, 00000023.00000002.5127905674.00000000027F0000.00000002.sdmp, svch0st.4158.exe, 00000024.00000002.5142210423.0000000002600000.00000002.sdmp, svch0st.4158.exe, 00000025.00000002.5178454573.00000000027E0000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svch0st.4158.exe, 00000005.00000002.4808388071.0000000002820000.00000002.sdmp, svch0st.4158.exe, 0000001B.00000002.5065482819.0000000002DB0000.00000002.sdmp, svch0st.4158.exe, 0000001C.00000002.5053280563.0000000003220000.00000002.sdmp, svch0st.4158.exe, 00000023.00000002.5127905674.00000000027F0000.00000002.sdmp, svch0st.4158.exe, 00000024.00000002.5142210423.0000000002600000.00000002.sdmp, svch0st.4158.exe, 00000025.00000002.5178454573.00000000027E0000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0023755F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0023755F
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0022673B LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0022673B
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00243570 mov eax, dword ptr fs:[00000030h]0_2_00243570
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00243570 mov eax, dword ptr fs:[00000030h]5_2_00243570
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_001902B0 GetProcessHeap,HeapAlloc,0_2_001902B0
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00218133 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00218133
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0023755F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0023755F
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_002180DE SetUnhandledExceptionFilter,5_2_002180DE
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00218133 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00218133
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_0023755F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0023755F
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_00217F4B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00217F4B

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -wJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Jay Jay Hammer\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\Local\Microsoft\Office\OTele\officehubwin32.exe.db.session'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Public\Libraries\RecordedTV.library-ms'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Color\Profiles\wsRGB.icc'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\AcroFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\OneDrive.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2764.tmp'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.chk'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UPPS\UPPS.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\AcroFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\OneDrive.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UPPS\UPPS.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Public\Libraries\RecordedTV.library-ms'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UPPS\UPPS.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents'Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\AcroFnt19.lst'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\OneDrive.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2764.tmp'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.log'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.chk'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UPPS\UPPS.bin'
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\AcroFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\OneDrive.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2764.tmp'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.chk'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UPPS\UPPS.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\Cache\AcroFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\OneDrive.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\V01.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UPPS\UPPS.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UPPS\UPPS.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.4158.exe C:\Users\user~1\AppData\Local\Temp\svch0st.4158.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_00181080 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,0_2_00181080
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: svch0st.4158.exe, 00000003.00000002.6048048750.0000000001160000.00000002.sdmpBinary or memory string: Program Managere
Source: svch0st.4158.exe, 00000003.00000002.6048048750.0000000001160000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: svch0st.4158.exe, 00000003.00000002.6048048750.0000000001160000.00000002.sdmpBinary or memory string: Progman
Source: svch0st.4158.exe, 00000003.00000002.6048048750.0000000001160000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00251139
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: GetLocaleInfoW,0_2_00216CA9
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: ___crtGetLocaleInfoEx,0_2_00216DA2
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: EnumSystemLocalesW,0_2_002513B1
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: EnumSystemLocalesW,0_2_002513FC
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: EnumSystemLocalesW,0_2_00251497
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00251524
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: GetLocaleInfoW,0_2_00251774
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: EnumSystemLocalesW,0_2_0024774F
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00251139
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: GetLocaleInfoW,5_2_00216CA9
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: ___crtGetLocaleInfoEx,5_2_00216DA2
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: EnumSystemLocalesW,5_2_002513B1
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: EnumSystemLocalesW,5_2_002513FC
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: EnumSystemLocalesW,5_2_00251497
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00251524
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: GetLocaleInfoW,5_2_00251774
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: EnumSystemLocalesW,5_2_0024774F
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_0025189D
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: GetLocaleInfoW,5_2_002519A4
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_00251A71
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: GetLocaleInfoW,5_2_00247C38
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_002179DD cpuid 5_2_002179DD
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0021832E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0021832E
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_0024EF62 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0024EF62
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_0021DF40 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,5_2_0021DF40
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\svch0st.4553.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_002286D3 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_002286D3
Source: C:\Users\user\Desktop\svch0st.4553.exeCode function: 0_2_002293A5 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_002293A5
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_002286D3 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,5_2_002286D3
Source: C:\Users\user\AppData\Local\Temp\svch0st.4158.exeCode function: 5_2_002293A5 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,5_2_002293A5

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 106937 Sample: svch0st.4553.exe Startdate: 29/01/2019 Architecture: WINDOWS Score: 60 20 Too many similar processes found 2->20 22 Multi AV Scanner detection for submitted file 2->22 7 svch0st.4553.exe 2->7         started        process3 signatures4 24 Moves itself to temp directory 7->24 10 svch0st.4158.exe 7->10         started        process5 process6 12 svch0st.4158.exe 10->12         started        14 svch0st.4158.exe 10->14         started        16 svch0st.4158.exe 10->16         started        18 30 other processes 10->18

Simulations

Behavior and APIs

TimeTypeDescription
09:41:37API Interceptor1108x Sleep call for process: svch0st.4553.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
svch0st.4553.exe61%virustotalBrowse
svch0st.4553.exe27%metadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.