Source: svchost(1).exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: svchost(1).exe |
Static PE information: certificate valid |
Source: svchost(1).exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: |
Binary string: svchost.pdb source: svchost(1).exe |
Source: |
Binary string: svchost.pdbUGP source: svchost(1).exe |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B3150 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode, |
0_2_004B3150 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B32D0 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,HeapSetInformation,TpAllocTimer,EventRegister,EventSetInformation,GetTickCount64,GetTickCount64,TpSetTimer,NtSetInformationProcess, |
0_2_004B32D0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B2739 ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey, |
0_2_004B2739 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B24B0 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx, |
0_2_004B24B0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B2739 |
0_2_004B2739 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B24B0 |
0_2_004B24B0 |
Source: svchost(1).exe, 00000000.00000000.2045451956.00000000004BB000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamesvchost.exej% vs svchost(1).exe |
Source: svchost(1).exe |
Binary or memory string: OriginalFilenamesvchost.exej% vs svchost(1).exe |
Source: svchost(1).exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: clean5.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B3120 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess, |
0_2_004B3120 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B3120 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess, |
0_2_004B3120 |
Source: svchost(1).exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\svchost(1).exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\svchost(1).exe |
Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess |
Source: svchost(1).exe |
Static PE information: certificate valid |
Source: initial sample |
Static PE information: Valid certificate with Microsoft Issuer |
Source: svchost(1).exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: svchost(1).exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: svchost(1).exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: svchost(1).exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: svchost(1).exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: svchost(1).exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: svchost(1).exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: svchost(1).exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: svchost.pdb source: svchost(1).exe |
Source: |
Binary string: svchost.pdbUGP source: svchost(1).exe |
Source: svchost(1).exe |
Static PE information: section name: .didat |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B3120 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess, |
0_2_004B3120 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\svchost(1).exe |
API coverage: 3.6 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\svchost(1).exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h] |
0_2_004B45C0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h] |
0_2_004B45C0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h] |
0_2_004B45C0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h] |
0_2_004B45C0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B4FD0 mov eax, dword ptr fs:[00000030h] |
0_2_004B4FD0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B4FD0 mov ecx, dword ptr fs:[00000030h] |
0_2_004B4FD0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B43D0 mov eax, dword ptr fs:[00000030h] |
0_2_004B43D0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B43D0 mov eax, dword ptr fs:[00000030h] |
0_2_004B43D0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B32D0 mov eax, dword ptr fs:[00000030h] |
0_2_004B32D0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B32D0 mov eax, dword ptr fs:[00000030h] |
0_2_004B32D0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B32D0 mov eax, dword ptr fs:[00000030h] |
0_2_004B32D0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h] |
0_2_004B2E20 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h] |
0_2_004B2E20 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h] |
0_2_004B2E20 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h] |
0_2_004B2E20 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B3150 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode, |
0_2_004B3150 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B3150 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode, |
0_2_004B3150 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B514A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_004B514A |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B45C0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,HeapAlloc,InitializeSecurityDescriptor,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,HeapAlloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,CloseHandle,GetLengthSid,AddAccessAllowedAce,GetLengthSid,AddAccessAllowedAce,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,HeapFree,HeapFree, |
0_2_004B45C0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B50B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_004B50B0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B67D0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status, |
0_2_004B67D0 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B6780 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status, |
0_2_004B6780 |
Source: C:\Users\user\Desktop\svchost(1).exe |
Code function: 0_2_004B6710 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status, |
0_2_004B6710 |