Loading ...

Analysis Report 5d9EP7DOdB.bin

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:106938
Start date:29.01.2019
Start time:09:48:54
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 25s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:5d9EP7DOdB.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.spyw.evad.winEXE@211/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 3.2% (good quality ratio 3%)
  • Quality average: 63.9%
  • Quality standard deviation: 23.5%
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 68
  • Number of non-executed functions: 290
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, CompatTelRunner.exe, svchost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold600 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Winlogon Helper DLLProcess Injection11Process Injection11Credential DumpingSecurity Software Discovery21Application Deployment SoftwareData from Local System1Data CompressedStandard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information2Network SniffingFile and Directory Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSystem Information Discovery23Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 5d9EP7DOd.exevirustotal: Detection: 59%Perma Link
Source: 5d9EP7DOd.exemetadefender: Detection: 27%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C48580 CryptReleaseContext,2_2_00C48580
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C48650 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,2_2_00C48650
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C47FC0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,2_2_00C47FC0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C48120 CryptAcquireContextA,GetLastError,CryptReleaseContext,2_2_00C48120
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C484F0 CryptGenRandom,__CxxThrowException@8,2_2_00C484F0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C484B0 CryptReleaseContext,2_2_00C484B0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C48580 CryptReleaseContext,5_2_00C48580
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C48650 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,5_2_00C48650
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C47FC0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,5_2_00C47FC0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C48120 CryptAcquireContextA,GetLastError,CryptReleaseContext,5_2_00C48120
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C484F0 CryptGenRandom,__CxxThrowException@8,5_2_00C484F0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C484B0 CryptReleaseContext,5_2_00C484B0

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C54EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,2_2_00C54EAE
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C54E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,2_2_00C54E4B
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C54E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,2_2_00C54E2B
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C9F56B FindFirstFileExA,2_2_00C9F56B
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C54EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,5_2_00C54EAE
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C54E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,5_2_00C54E4B
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C54E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,5_2_00C54E2B
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C9F56B FindFirstFileExA,5_2_00C9F56B
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C07B60 __Xtime_get_ticks,Wow64DisableWow64FsRedirection,GetWindowsDirectoryW,std::locale::_Init,SHGetFolderPathW,SHGetFolderPathW,std::locale::_Init,SHGetFolderPathW,GetLogicalDriveStringsW,GetDriveTypeW,SetEvent,SHGetFolderPathW,Wow64RevertWow64FsRedirection,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CloseHandle,SetEvent,SetEvent,SetEvent,SetEvent,2_2_00C07B60

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: 5d9EP7DOd.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 5d9EP7DOd.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: 5d9EP7DOd.exeString found in binary or memory: http://ocsp.comodoca.com0

DDoS:

barindex
Too many similar processes foundShow sources
Source: unknownProcess created: 126
Source: svch0st.3223.exeProcess created: 82

System Summary:

barindex
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:616:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C113F02_2_00C113F0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C4E0602_2_00C4E060
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C2C0702_2_00C2C070
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C800272_2_00C80027
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C001502_2_00C00150
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C802EE2_2_00C802EE
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C2C2802_2_00C2C280
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C6E2052_2_00C6E205
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C342202_2_00C34220
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C902202_2_00C90220
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C663DA2_2_00C663DA
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C163202_2_00C16320
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C0E4802_2_00C0E480
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C224902_2_00C22490
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C705FD2_2_00C705FD
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C805A92_2_00C805A9
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C2C5002_2_00C2C500
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C113F02_2_00C113F0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00BDE6202_2_00BDE620
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C307DB2_2_00C307DB
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C067102_2_00C06710
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C309FF2_2_00C309FF
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C4E9302_2_00C4E930
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C92A322_2_00C92A32
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C1EC302_2_00C1EC30
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C06EA02_2_00C06EA0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C30E492_2_00C30E49
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C24FD02_2_00C24FD0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C312E32_2_00C312E3
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C812612_2_00C81261
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C6B27F2_2_00C6B27F
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C433E02_2_00C433E0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C353A02_2_00C353A0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C9D4092_2_00C9D409
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C4F6102_2_00C4F610
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C097D02_2_00C097D0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C7F7A02_2_00C7F7A0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C4F9C02_2_00C4F9C0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C1F9002_2_00C1F900
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C2FA452_2_00C2FA45
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C2FA522_2_00C2FA52
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C6BA652_2_00C6BA65
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C7FA0B2_2_00C7FA0B
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C89A162_2_00C89A16
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C07B602_2_00C07B60
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C1DCD02_2_00C1DCD0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C4DCA02_2_00C4DCA0
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C7FD7D2_2_00C7FD7D
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C4FE202_2_00C4FE20
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C2FE362_2_00C2FE36
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C4BE302_2_00C4BE30
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C113F05_2_00C113F0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00BDE6205_2_00BDE620
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C2C0705_2_00C2C070
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C800275_2_00C80027
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C001505_2_00C00150
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C802EE5_2_00C802EE
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C2C2805_2_00C2C280
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C342205_2_00C34220
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C902205_2_00C90220
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C705FD5_2_00C705FD
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C805A95_2_00C805A9
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C2C5005_2_00C2C500
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C307DB5_2_00C307DB
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C309FF5_2_00C309FF
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C30E495_2_00C30E49
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C24FD05_2_00C24FD0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C312E35_2_00C312E3
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C812615_2_00C81261
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C353A05_2_00C353A0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C9D4095_2_00C9D409
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C097D05_2_00C097D0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C89A165_2_00C89A16
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C1DCD05_2_00C1DCD0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C4DCA05_2_00C4DCA0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C4E0605_2_00C4E060
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C6E2055_2_00C6E205
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C663DA5_2_00C663DA
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C163205_2_00C16320
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C0E4805_2_00C0E480
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C224905_2_00C22490
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C113F05_2_00C113F0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C067105_2_00C06710
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C4E9305_2_00C4E930
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00CA2A405_2_00CA2A40
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C92A325_2_00C92A32
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C1EC305_2_00C1EC30
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C06EA05_2_00C06EA0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C6B27F5_2_00C6B27F
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C433E05_2_00C433E0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C4F6105_2_00C4F610
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C7F7A05_2_00C7F7A0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C4F9C05_2_00C4F9C0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C1F9005_2_00C1F900
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C2FA455_2_00C2FA45
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C2FA525_2_00C2FA52
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C6BA655_2_00C6BA65
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C7FA0B5_2_00C7FA0B
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C07B605_2_00C07B60
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C7FD7D5_2_00C7FD7D
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C4FE205_2_00C4FE20
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C2FE365_2_00C2FE36
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C4BE305_2_00C4BE30
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C8BFAB5_2_00C8BFAB
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: String function: 00C67DAE appears 66 times
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: String function: 00BE4D00 appears 35 times
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: String function: 00C67E90 appears 57 times
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: String function: 00C67D7A appears 165 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: String function: 00C67DAE appears 68 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: String function: 00BE4D00 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: String function: 00C66FE4 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: String function: 00C67E90 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: String function: 00C67D7A appears 166 times
Sample file is different than original file name gathered from version infoShow sources
Source: 5d9EP7DOd.exeBinary or memory string: OriginalFilenameworker32> vs 5d9EP7DOd.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeSection loaded: wow64log.dll
Classification labelShow sources
Source: classification engineClassification label: mal60.spyw.evad.winEXE@211/0@0/0
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C5540C GetDiskFreeSpaceExW,GetLastError,GetDiskFreeSpaceExW,GetLastError,2_2_00C5540C
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C0D9B0 CoCreateInstance,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,2_2_00C0D9B0
PE file has an executable .text section and no other executable sectionShow sources
Source: 5d9EP7DOd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 5d9EP7DOd.exevirustotal: Detection: 59%
Source: 5d9EP7DOd.exemetadefender: Detection: 27%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\5d9EP7DOdB.exe 'C:\Users\user\Desktop\5d9EP7DOdB.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Favicons'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\index'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\Error.png'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_1'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\images\waterGlass.svg'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\update10[1].xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\RdrManifest2[1].msi'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\IGOC1HS4.htm'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\4HIGDOEE\BBPY1Yl[1].jpg'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-in\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-bd\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bg\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\sw\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -wJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Favicons'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\index'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\Error.png'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\images\waterGlass.svg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\update10[1].xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\RdrManifest2[1].msi'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\IGOC1HS4.htm'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\4HIGDOEE\BBPY1Yl[1].jpg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-in\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-bd\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bg\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\sw\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\IGOC1HS4.htm'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\4HIGDOEE\BBPY1Yl[1].jpg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-in\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\IGOC1HS4.htm'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: 5d9EP7DOd.exeStatic file information: File size 1267728 > 1048576
PE file contains a mix of data directories often seen in goodwareShow sources
Source: 5d9EP7DOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5d9EP7DOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5d9EP7DOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5d9EP7DOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5d9EP7DOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5d9EP7DOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: 5d9EP7DOd.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: 5d9EP7DOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: 5d9EP7DOd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5d9EP7DOd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5d9EP7DOd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5d9EP7DOd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5d9EP7DOd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C7673B LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00C7673B
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00BEEF11 push ebx; retf 2_2_00BEEF14
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00BF15E5 push eax; retf 2_2_00BF15E7
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00BF16AC push eax; retf 2_2_00BF16AE
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C67D43 push ecx; ret 2_2_00C67D56
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C67ED6 push ecx; ret 2_2_00C67EE9
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00BF15E5 push eax; retf 5_2_00BF15E7
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00BF16AC push eax; retf 5_2_00BF16AE
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00BF1F97 push eax; retf 5_2_00BF1F98
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00BF1F29 push eax; retf 5_2_00BF1F2B
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00BF1F65 push eax; retf 5_2_00BF1F67
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00BEEF11 push ebx; retf 5_2_00BEEF14
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C67D43 push ecx; ret 5_2_00C67D56
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C67ED6 push ecx; ret 5_2_00C67EE9

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C663DA GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00C663DA

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Application Data\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\AppData\Local\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\Default\Jump to behavior
Found evasive API chain (date check)Show sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-87896
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-80483
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeAPI coverage: 4.0 %
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeAPI coverage: 5.0 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\conhost.exe TID: 4320Thread sleep count: 61 > 30Jump to behavior
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C54EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,2_2_00C54EAE
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C54E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,2_2_00C54E4B
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C54E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,2_2_00C54E2B
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C9F56B FindFirstFileExA,2_2_00C9F56B
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C54EAE GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,5_2_00C54EAE
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C54E4B FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,5_2_00C54E4B
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C54E2B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,5_2_00C54E2B
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C9F56B FindFirstFileExA,5_2_00C9F56B
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C07B60 __Xtime_get_ticks,Wow64DisableWow64FsRedirection,GetWindowsDirectoryW,std::locale::_Init,SHGetFolderPathW,SHGetFolderPathW,std::locale::_Init,SHGetFolderPathW,GetLogicalDriveStringsW,GetDriveTypeW,SetEvent,SHGetFolderPathW,Wow64RevertWow64FsRedirection,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CloseHandle,SetEvent,SetEvent,SetEvent,SetEvent,2_2_00C07B60
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00BD1000 GetSystemInfo,2_2_00BD1000
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: svch0st.3223.exe, 00000005.00000002.4359438183.00000000031C0000.00000002.sdmp, svch0st.3223.exe, 00000010.00000002.4518309343.0000000002C40000.00000002.sdmp, svch0st.3223.exe, 00000012.00000002.4538913875.0000000003530000.00000002.sdmp, svch0st.3223.exe, 00000015.00000002.4559480247.0000000002760000.00000002.sdmp, svch0st.3223.exe, 00000016.00000002.4576749698.0000000002610000.00000002.sdmp, svch0st.3223.exe, 00000017.00000002.4589737069.0000000000210000.00000002.sdmp, svch0st.3223.exe, 00000018.00000002.4589286479.0000000000D10000.00000002.sdmp, svch0st.3223.exe, 00000019.00000002.4621791521.0000000003220000.00000002.sdmp, svch0st.3223.exe, 0000001A.00000002.4642623739.00000000030E0000.00000002.sdmp, svch0st.3223.exe, 0000001C.00000002.4684379154.00000000032C0000.00000002.sdmp, svch0st.3223.exe, 0000001D.00000002.4682486067.0000000002B60000.00000002.sdmp, svch0st.3223.exe, 0000001E.00000002.4717866620.0000000002BD0000.00000002.sdmp, svch0st.3223.exe, 0000001F.00000002.4737046667.0000000002660000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svch0st.3223.exe, 00000005.00000002.4359438183.00000000031C0000.00000002.sdmp, svch0st.3223.exe, 00000010.00000002.4518309343.0000000002C40000.00000002.sdmp, svch0st.3223.exe, 00000012.00000002.4538913875.0000000003530000.00000002.sdmp, svch0st.3223.exe, 00000015.00000002.4559480247.0000000002760000.00000002.sdmp, svch0st.3223.exe, 00000016.00000002.4576749698.0000000002610000.00000002.sdmp, svch0st.3223.exe, 00000017.00000002.4589737069.0000000000210000.00000002.sdmp, svch0st.3223.exe, 00000018.00000002.4589286479.0000000000D10000.00000002.sdmp, svch0st.3223.exe, 00000019.00000002.4621791521.0000000003220000.00000002.sdmp, svch0st.3223.exe, 0000001A.00000002.4642623739.00000000030E0000.00000002.sdmp, svch0st.3223.exe, 0000001C.00000002.4684379154.00000000032C0000.00000002.sdmp, svch0st.3223.exe, 0000001D.00000002.4682486067.0000000002B60000.00000002.sdmp, svch0st.3223.exe, 0000001E.00000002.4717866620.0000000002BD0000.00000002.sdmp, svch0st.3223.exe, 0000001F.00000002.4737046667.0000000002660000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svch0st.3223.exe, 00000005.00000002.4359438183.00000000031C0000.00000002.sdmp, svch0st.3223.exe, 00000010.00000002.4518309343.0000000002C40000.00000002.sdmp, svch0st.3223.exe, 00000012.00000002.4538913875.0000000003530000.00000002.sdmp, svch0st.3223.exe, 00000015.00000002.4559480247.0000000002760000.00000002.sdmp, svch0st.3223.exe, 00000016.00000002.4576749698.0000000002610000.00000002.sdmp, svch0st.3223.exe, 00000017.00000002.4589737069.0000000000210000.00000002.sdmp, svch0st.3223.exe, 00000018.00000002.4589286479.0000000000D10000.00000002.sdmp, svch0st.3223.exe, 00000019.00000002.4621791521.0000000003220000.00000002.sdmp, svch0st.3223.exe, 0000001A.00000002.4642623739.00000000030E0000.00000002.sdmp, svch0st.3223.exe, 0000001C.00000002.4684379154.00000000032C0000.00000002.sdmp, svch0st.3223.exe, 0000001D.00000002.4682486067.0000000002B60000.00000002.sdmp, svch0st.3223.exe, 0000001E.00000002.4717866620.0000000002BD0000.00000002.sdmp, svch0st.3223.exe, 0000001F.00000002.4737046667.0000000002660000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svch0st.3223.exe, 00000005.00000002.4359438183.00000000031C0000.00000002.sdmp, svch0st.3223.exe, 00000010.00000002.4518309343.0000000002C40000.00000002.sdmp, svch0st.3223.exe, 00000012.00000002.4538913875.0000000003530000.00000002.sdmp, svch0st.3223.exe, 00000015.00000002.4559480247.0000000002760000.00000002.sdmp, svch0st.3223.exe, 00000016.00000002.4576749698.0000000002610000.00000002.sdmp, svch0st.3223.exe, 00000017.00000002.4589737069.0000000000210000.00000002.sdmp, svch0st.3223.exe, 00000018.00000002.4589286479.0000000000D10000.00000002.sdmp, svch0st.3223.exe, 00000019.00000002.4621791521.0000000003220000.00000002.sdmp, svch0st.3223.exe, 0000001A.00000002.4642623739.00000000030E0000.00000002.sdmp, svch0st.3223.exe, 0000001C.00000002.4684379154.00000000032C0000.00000002.sdmp, svch0st.3223.exe, 0000001D.00000002.4682486067.0000000002B60000.00000002.sdmp, svch0st.3223.exe, 0000001E.00000002.4717866620.0000000002BD0000.00000002.sdmp, svch0st.3223.exe, 0000001F.00000002.4737046667.0000000002660000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C8755F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00C8755F
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C7673B LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00C7673B
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C93570 mov eax, dword ptr fs:[00000030h]2_2_00C93570
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C93570 mov eax, dword ptr fs:[00000030h]5_2_00C93570
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00BE02B0 GetProcessHeap,HeapAlloc,2_2_00BE02B0
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C680DE SetUnhandledExceptionFilter,2_2_00C680DE
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C68133 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00C68133
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C8755F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00C8755F
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C680DE SetUnhandledExceptionFilter,5_2_00C680DE
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C68133 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00C68133
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C8755F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00C8755F
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C67F4B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00C67F4B

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -wJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Favicons'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\index'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\Error.png'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\images\waterGlass.svg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\update10[1].xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\RdrManifest2[1].msi'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\IGOC1HS4.htm'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\4HIGDOEE\BBPY1Yl[1].jpg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-in\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-bd\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bg\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\sw\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\IGOC1HS4.htm'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\4HIGDOEE\BBPY1Yl[1].jpg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-in\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\IGOC1HS4.htm'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: unknown unknownJump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Favicons'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\index'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\Error.png'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_1'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\images\waterGlass.svg'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\update10[1].xml'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\RdrManifest2[1].msi'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\IGOC1HS4.htm'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\4HIGDOEE\BBPY1Yl[1].jpg'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-in\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-bd\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bg\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\sw\FileSync.LocalizedResources.dll.mui'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\DefaultLayouts.xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\settings.ini'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\AdobeCMapFnt19.lst'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Favicons'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\index'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\Error.png'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\KnownGameList.bin'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\images\waterGlass.svg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\update10[1].xml'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\RdrManifest2[1].msi'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\IGOC1HS4.htm'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\4HIGDOEE\BBPY1Yl[1].jpg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-in\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-bd\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bg\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\sw\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313_2\lt\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\winword.exe.db'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\IGOC1HS4.htm'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\Low\IE\4HIGDOEE\BBPY1Yl[1].jpg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OneDrive\17.3.6816.0313\bn-in\FileSync.LocalizedResources.dll.mui'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeProcess created: C:\Users\user\AppData\Local\Temp\svch0st.3223.exe C:\Users\user\AppData\Local\Temp\svch0st.3223.exe -w 'C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\VTIIBVU5\IGOC1HS4.htm'Jump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00BD1080 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,2_2_00BD1080
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: svch0st.3223.exe, 00000004.00000002.5552321188.00000000017C0000.00000002.sdmpBinary or memory string: Program Manager
Source: svch0st.3223.exe, 00000004.00000002.5552321188.00000000017C0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: svch0st.3223.exe, 00000004.00000002.5552321188.00000000017C0000.00000002.sdmpBinary or memory string: Progman
Source: svch0st.3223.exe, 00000004.00000002.5552321188.00000000017C0000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00CA1139
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: GetLocaleInfoW,2_2_00C66CA9
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: ___crtGetLocaleInfoEx,2_2_00C66DA2
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: EnumSystemLocalesW,2_2_00CA13FC
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: EnumSystemLocalesW,2_2_00CA13B1
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: EnumSystemLocalesW,2_2_00CA1497
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00CA1524
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: EnumSystemLocalesW,2_2_00C9774F
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: GetLocaleInfoW,2_2_00CA1774
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00CA189D
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: GetLocaleInfoW,2_2_00CA19A4
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00CA1A71
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: GetLocaleInfoW,2_2_00C97C38
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00CA1139
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: EnumSystemLocalesW,5_2_00CA13FC
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: EnumSystemLocalesW,5_2_00CA13B1
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: EnumSystemLocalesW,5_2_00CA1497
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00CA1524
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: GetLocaleInfoW,5_2_00CA1774
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_00CA189D
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: GetLocaleInfoW,5_2_00CA19A4
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_00CA1A71
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: GetLocaleInfoW,5_2_00C66CA9
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: ___crtGetLocaleInfoEx,5_2_00C66DA2
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: EnumSystemLocalesW,5_2_00C9774F
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: GetLocaleInfoW,5_2_00C97C38
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C679DD cpuid 2_2_00C679DD
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C6832E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00C6832E
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C9EF62 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,2_2_00C9EF62
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C6DF40 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,5_2_00C6DF40
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\FaviconsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache\indexJump to behavior
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_1.locked
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_1

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C786D3 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,2_2_00C786D3
Source: C:\Users\user\Desktop\5d9EP7DOdB.exeCode function: 2_2_00C793A5 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,2_2_00C793A5
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00BD10E0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,5_2_00BD10E0
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C786D3 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,5_2_00C786D3
Source: C:\Users\user\AppData\Local\Temp\svch0st.3223.exeCode function: 5_2_00C793A5 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,5_2_00C793A5

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 106938 Sample: 5d9EP7DOdB.bin Startdate: 29/01/2019 Architecture: WINDOWS Score: 60 20 Too many similar processes found 2->20 22 Multi AV Scanner detection for submitted file 2->22 7 5d9EP7DOdB.exe 2->7         started        process3 process4 9 svch0st.3223.exe 7->9         started        process5 11 svch0st.3223.exe 9->11         started        14 svch0st.3223.exe 9->14         started        16 svch0st.3223.exe 9->16         started        18 32 other processes 9->18 signatures6 24 Tries to harvest and steal browser information (history, passwords, etc) 11->24

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
5d9EP7DOd.exe59%virustotalBrowse
5d9EP7DOd.exe27%metadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.