Source: unpacked_svchost.exe |
Avira: detected |
Source: https://ilu21plane.xyz/ |
Avira URL Cloud: Label: malware |
Source: https://nizaoplov.xyz/A_ |
Avira URL Cloud: Label: malware |
Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000 |
Avira URL Cloud: Label: malware |
Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000V)T |
Avira URL Cloud: Label: malware |
Source: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000000004 |
Avira URL Cloud: Label: malware |
Source: https://153ishak.best/A_ |
Avira URL Cloud: Label: malware |
Source: https://nizaoplov.xyz/ |
Avira URL Cloud: Label: malware |
Source: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000004 |
Avira URL Cloud: Label: malware |
Source: https://boldidiotruss.xyz/- |
Avira URL Cloud: Label: malware |
Source: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000 |
Avira URL Cloud: Label: malware |
Source: https://boldidiotruss.xyz/ |
Avira URL Cloud: Label: malware |
Source: https://boldidiotruss.xyz/1 |
Avira URL Cloud: Label: malware |
Source: ilu21plane.xyz |
Virustotal: Detection: 7% |
Perma Link |
Source: nizaoplov.xyz |
Virustotal: Detection: 10% |
Perma Link |
Source: https://ilu21plane.xyz/ |
Virustotal: Detection: 7% |
Perma Link |
Source: boldidiotruss.xyz |
Virustotal: Detection: 13% |
Perma Link |
Source: 153ishak.best |
Virustotal: Detection: 6% |
Perma Link |
Source: https://boldidiotruss.xyz/ |
Virustotal: Detection: 13% |
Perma Link |
Source: https://nizaoplov.xyz/ |
Virustotal: Detection: 10% |
Perma Link |
Source: unpacked_svchost.exe |
ReversingLabs: Detection: 71% |
Source: unpacked_svchost.exe |
Virustotal: Detection: 76% |
Perma Link |
Source: Yara match |
File source: unpacked_svchost.exe, type: SAMPLE |
Source: unpacked_svchost.exe |
Joe Sandbox ML: detected |
Source: unpacked_svchost.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: |
DNS query: boldidiotruss.xyz |
Source: |
DNS query: nizaoplov.xyz |
Source: |
DNS query: ilu21plane.xyz |
Source: |
DNS query: boldidiotruss.xyz |
Source: |
DNS query: nizaoplov.xyz |
Source: |
DNS query: ilu21plane.xyz |
Source: |
DNS query: boldidiotruss.xyz |
Source: |
DNS query: nizaoplov.xyz |
Source: |
DNS query: ilu21plane.xyz |
Source: |
DNS query: boldidiotruss.xyz |
Source: |
DNS query: nizaoplov.xyz |
Source: |
DNS query: ilu21plane.xyz |
Source: |
DNS query: boldidiotruss.xyz |
Source: |
DNS query: nizaoplov.xyz |
Source: |
DNS query: ilu21plane.xyz |
Source: |
DNS query: boldidiotruss.xyz |
Source: |
DNS query: nizaoplov.xyz |
Source: |
DNS query: ilu21plane.xyz |
Source: |
DNS query: boldidiotruss.xyz |
Source: unknown |
DNS traffic detected: query: nizaoplov.xyz replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: 153ishak.best replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: boldidiotruss.xyz replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: ilu21plane.xyz replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
DNS traffic detected: queries for: boldidiotruss.xyz |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://153ishak.best/A_ |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://boldidiotruss.xyz/ |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://boldidiotruss.xyz/- |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://boldidiotruss.xyz/1 |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp, unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001339000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000 |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://boldidiotruss.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000004 |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.0000000001328000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ilu21plane.xyz/ |
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://nizaoplov.xyz/ |
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://nizaoplov.xyz/A_ |
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000 |
Source: unpacked_svchost.exe, 00000000.00000003.2974640610.0000000001328000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF00000000000000000004 |
Source: unpacked_svchost.exe, 00000000.00000003.2974577476.000000000133B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://nizaoplov.xyz/photo.png?id=011E3D33FBC8A0E3EE00FF0000000000000000V)T |
Source: Yara match |
File source: unpacked_svchost.exe, type: SAMPLE |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: unpacked_svchost.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@1/0@25/0 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
File created: C:\Users\user\AppData\Local\user |
Jump to behavior |
Source: unpacked_svchost.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unpacked_svchost.exe |
ReversingLabs: Detection: 71% |
Source: unpacked_svchost.exe |
Virustotal: Detection: 76% |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Code function: 0_2_010010F6 wsprintfA, |
0_2_010010F6 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Stalling execution: Execution stalls by calling Sleep |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
RDTSC instruction interceptor: First address: 1001131 second address: 1001151 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
RDTSC instruction interceptor: First address: 1001151 second address: 1001131 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007F61651D0F5Ah 0x0000000c jc 00007F61651D0F19h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007F61651D0F18h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007F61651D0F4Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007F61651D0E95h 0x00000020 rdtsc |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Code function: 0_2_01001224 rdtsc |
0_2_01001224 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe TID: 5320 |
Thread sleep time: -690000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Last function: Thread delayed |
Source: unpacked_svchost.exe, 00000000.00000002.3304286481.00000000012FE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Code function: 0_2_01001224 rdtsc |
0_2_01001224 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Code function: 0_2_01001000 CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,CloseHandle, |
0_2_01001000 |
Source: C:\Users\user\Desktop\unpacked_svchost.exe |
Code function: 0_2_010014F9 SHGetFolderPathA,lstrcatA,lstrcatA,lstrlenA,GetUserNameA,CreateDirectoryA,lstrcatA, |
0_2_010014F9 |
Source: Yara match |
File source: unpacked_svchost.exe, type: SAMPLE |
Source: Yara match |
File source: unpacked_svchost.exe, type: SAMPLE |