Loading ...

Play interactive tourEdit tour

Analysis Report svchost.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:223564
Start date:18.04.2020
Start time:02:01:25
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 45s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:svchost.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@8/4@30/1
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 96%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, MusNotifyIcon.exe, UsoClient.exe
  • TCP Packets have been reduced to 100
  • Excluded IPs from analysis (whitelisted): 20.44.86.43, 40.90.137.126, 40.90.23.247, 40.90.137.125, 51.143.111.7, 51.104.136.2, 204.79.197.200, 13.107.21.200, 40.127.240.158, 93.184.220.29, 2.18.68.82, 8.241.11.254, 8.241.123.254, 8.241.122.254, 8.253.204.120, 67.26.139.254
  • Excluded domains from analysis (whitelisted): www.bing.com, umwatson.trafficmanager.net, cs9.wac.phicdn.net, fs.microsoft.com, lgin.msa.trafficmanager.net, dual-a-0001.a-msedge.net, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, a-0001.a-afdentry.net.trafficmanager.net, ocsp.digicert.com, login.live.com, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net
  • Execution Graph export aborted for target svchost.exe, PID 2428 because there are no executed function
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
AsyncRAT
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Scheduled Task2Process Injection212Masquerading1Credential DumpingVirtualization/Sandbox Evasion2Application Deployment SoftwareData from Local SystemData Encrypted11Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScheduled Task2Port MonitorsScheduled Task2Software Packing3Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureSecurity Software Discovery21Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion2Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection212Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDeobfuscate/Decode Files or Information1Brute ForceSystem Information Discovery14Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information121Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\USNizoLckoTtei.exeVirustotal: Detection: 76%Perma Link
Source: C:\Users\user\AppData\Roaming\USNizoLckoTtei.exeReversingLabs: Detection: 83%
Multi AV Scanner detection for submitted fileShow sources
Source: svchost.exeVirustotal: Detection: 76%Perma Link
Source: svchost.exeReversingLabs: Detection: 83%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\USNizoLckoTtei.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: svchost.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 10.2.svchost.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Networking:

barindex
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: babyboyhammer2.duckdns.org
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 192.169.69.25 192.169.69.25
Source: Joe Sandbox ViewIP Address: 192.169.69.25 192.169.69.25
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: babyboyhammer2.duckdns.org
Urls found in memory or binary dataShow sources
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: svchost.exe, 00000000.00000002.789689104.00000000031FD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000000.00000003.755236929.000000000165A000.00000004.00000001.sdmpString found in binary or memory: http://ww.micro
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: svchost.exe, 00000000.00000003.765901529.000000000165F000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: svchost.exe, 00000000.00000003.758901499.0000000001656000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: svchost.exe, 00000000.00000003.758719886.0000000001658000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn)
Source: svchost.exe, 00000000.00000003.759322323.0000000001656000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: svchost.exe, 00000000.00000003.758224258.0000000001658000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
Source: svchost.exe, 00000000.00000003.758826869.000000000165E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh5
Source: svchost.exe, 00000000.00000003.757981007.0000000001656000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm
Source: svchost.exe, 00000000.00000003.759212724.000000000165F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-us
Source: svchost.exe, 00000000.00000003.758318286.000000000165E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnoft.com/typography/fonts)
Source: svchost.exe, 00000000.00000003.758224258.0000000001658000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnto
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: svchost.exe, 00000000.00000003.765901529.000000000165F000.00000004.00000001.sdmpString found in binary or memory: http://www.mn-use.
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: svchost.exe, 00000000.00000003.756502971.0000000001658000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kror
Source: svchost.exe, 00000000.00000003.756502971.0000000001658000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krs-czrm
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: svchost.exe, 00000000.00000002.800592631.0000000006406000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: svchost.exe, 00000000.00000003.760757014.0000000001656000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe, 00000000.00000003.760757014.0000000001656000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnhttp://www.zhongyicts.com.cn
Source: svchost.exe, 00000000.00000003.760757014.0000000001656000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected AsyncRATShow sources
Source: Yara matchFile source: 0000000A.00000002.1175645217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.789689104.00000000031FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2336, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1628, type: MEMORY
Source: Yara matchFile source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
.NET source code contains very large stringsShow sources
Source: svchost.exe, muyou.Lib/Class2.csLong String: Length: 39340
Source: 0.0.svchost.exe.a40000.0.unpack, muyou.Lib/Class2.csLong String: Length: 39340
Source: 0.2.svchost.exe.a40000.0.unpack, muyou.Lib/Class2.csLong String: Length: 39340
Source: 8.2.svchost.exe.3c0000.0.unpack, muyou.Lib/Class2.csLong String: Length: 39340
Source: 8.0.svchost.exe.3c0000.0.unpack, muyou.Lib/Class2.csLong String: Length: 39340
Source: 10.2.svchost.exe.4e0000.1.unpack, muyou.Lib/Class2.csLong String: Length: 39340
Source: 10.0.svchost.exe.4e0000.0.unpack, muyou.Lib/Class2.csLong String: Length: 39340
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C641D0 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C641CB NtQueryInformationProcess,
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_0569E448
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_0569E458
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_0569B7FC
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_057A6A80
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_057A6A70
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C627F8
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C6AB50
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C65258
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C69168
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C64898
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C698B0
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C66001
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C627E7
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C65740
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C65730
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C6AE88
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C6AE98
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C664C0
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C6ECA0
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C6AB40
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C62AB0
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C65249
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C669E8
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C69158
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C63120
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C64888
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C698A1
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C60040
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C6A848
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C6B07D
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C60007
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C63810
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C6A839
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFA680
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DF9E58
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DF289C
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFB078
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFCE10
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFCE02
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DF9E2D
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFE588
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFE578
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DF9328
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFE2D8
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFE2CA
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFAAF1
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFD9C0
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFD9B0
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFE978
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFE018
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFE028
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00A42052
Source: C:\Users\user\Desktop\svchost.exeCode function: 8_2_003C2052
Source: C:\Users\user\Desktop\svchost.exeCode function: 10_2_05123D08
Source: C:\Users\user\Desktop\svchost.exeCode function: 10_2_051245D8
Source: C:\Users\user\Desktop\svchost.exeCode function: 10_2_051239C0
Source: C:\Users\user\Desktop\svchost.exeCode function: 10_2_004E2052
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\USNizoLckoTtei.exe E9C607F263A990DB1BF0465C8688ED7CE7E5F294845041FB56AF313DF34F45DF
Sample file is different than original file name gathered from version infoShow sources
Source: svchost.exe, 00000000.00000002.798626351.00000000057D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs svchost.exe
Source: svchost.exe, 00000000.00000002.804490220.0000000007800000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDefender Protect.dllB vs svchost.exe
Source: svchost.exe, 00000000.00000002.789689104.00000000031FD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs svchost.exe
Source: svchost.exe, 00000000.00000002.786656540.0000000000A84000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFZDg.exe4 vs svchost.exe
Source: svchost.exe, 00000000.00000002.788480521.0000000003181000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs svchost.exe
Source: svchost.exe, 00000000.00000002.788480521.0000000003181000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs svchost.exe
Source: svchost.exe, 00000000.00000002.788480521.0000000003181000.00000004.00000001.sdmpBinary or memory string: <l,\\StringFileInfo\\000004B0\\OriginalFilename vs svchost.exe
Source: svchost.exe, 00000000.00000002.798644359.00000000057E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs svchost.exe
Source: svchost.exe, 00000000.00000002.804529267.0000000007810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs svchost.exe
Source: svchost.exe, 00000000.00000002.806143583.000000000DA10000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs svchost.exe
Source: svchost.exe, 00000008.00000002.784347707.0000000000404000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFZDg.exe4 vs svchost.exe
Source: svchost.exe, 0000000A.00000002.1175681697.000000000040E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs svchost.exe
Source: svchost.exe, 0000000A.00000000.785272595.0000000000524000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFZDg.exe4 vs svchost.exe
Source: svchost.exe, 0000000A.00000002.1180963864.0000000005170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs svchost.exe
Source: svchost.exe, 0000000A.00000002.1181469194.00000000058A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs svchost.exe
Source: svchost.exeBinary or memory string: OriginalFilenameFZDg.exe4 vs svchost.exe
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: svchost.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: USNizoLckoTtei.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.NET source code contains calls to encryption/decryption functionsShow sources
Source: svchost.exe, muyou.Lib/Class2.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.svchost.exe.a40000.0.unpack, muyou.Lib/Class2.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.svchost.exe.a40000.0.unpack, muyou.Lib/Class2.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 8.2.svchost.exe.3c0000.0.unpack, muyou.Lib/Class2.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 8.0.svchost.exe.3c0000.0.unpack, muyou.Lib/Class2.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.svchost.exe.4e0000.1.unpack, muyou.Lib/Class2.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
.NET source code contains long base64-encoded stringsShow sources
Source: svchost.exe, muyou.Lib/Class2.csBase64 encoded string: 'WukSahvSY+fDO9yR34nLogVaG6PAixnxTzAj2WdukigCKIjwfRJqPfkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5DYEPQ8zXQhym4ISW5ijPkHQan+8J6qt3+RLdQO2KzJhZy3oAoLbTV7iEMU2H55gAB1ryp+nn8Y2uw1zHkvwTHem/7kxRVQxMDMCdLKy0Rs9ewTHGdydPIYQNb51rmvlC5SRmRz1ukdMTvoWm96hnkJ6Kbmw4uFhvJQtPMfZfp2r5CdhrK1nYedpchTwVsvU5gGur82+DHXvG5+Y228yZx8cFEj+lDbDydRSAMHWXBl2T5N6dMD08KvIKttfGAbXGwsKrWsUg22KJ38SXDdpb+0zOJpZoxNJ7+QnYaytZ2Hl8D/TXTOLHbN9CGMM0S8uQ6EnIYBIMSD75CdhrK1nYeXNdDvclG7HmlbIZjuwxQp5hkz0qo4f2rS7ihAetK377YZM9KqOH9q35CdhrK1nYefkJ2GsrWdh5pgLv8jW4U8xom/IUE1QM6ims+e3VVRM/+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5VA44tmj2S6+JAeZqQpQ5yjsvtVvK2YURmwbLgSwb7pL5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5mlAFuuqI+j75CdhrK1nYefkJ2GsrWdh54DAEiwTSHZf5CdhrK1nYefkJ2GsrWdh54uZxmNR0PQSL0r0o3ElWTDtkQpYx95SzQLK8A3CRKn2B4UEP6YEdFvkJ2GsrWdh5+QnYaytZ2HmHHL/bGIzLLkN5+uTtSdWpW+kk92haeCeWjZkEWbDGPcM73JHficui6Etm368nEoP5CdhrK1nYefkJ2GsrWdh5xufmNtvMmcf8fITz/TaFUeWAgo7cx06vVA44tmj2S6/oSchgEgxIPgFfY8hueFxt+QnYaytZ2Hn5CdhrK1nYecbn5jbbzJnH39NBuNb8++f5CdhrK1nYefkJ2GsrWdh5jAvp3Evpgl35CdhrK1nYeUF12KCvHTG7W1hV1xK9LAjAw72WdKI83I5lX8MntaOwzAsTFyrF3+6s2sjyIgMIO/kJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2HmMK3Ck49ed16Myl57UQEudvI53aKsY5SzeUhtXSTWjn/KX3EavPqsJ9Lg56Tpt67Tw48RABl12buubowKTuW28UST68QvBlJEzZ/m0Ti8GpFQA0r/0zjRl6+ySgl+drswtwL7Hb2sac4DyCD2gZC7Y/TJvySL08DxKQuo9InjAvhXpUKVqSjS7F27+t9f7YNetFwpzTuP1rbqRC0PlULX8Y/+ScvZL3xOkyb7O9nvF55MmCVHeTFn42gpgPqFwOKEWQ0gd3slEreaXrnFIUH8GcRQI+nRSYqGPalxfQ1gm2OcWNEZ34JSbc3e2YX7aaNchsOx+VTFjZ32BeJPGFyegHAdATAtdCI081U0zbebW99kYKWFM1PmPBZdwK0rLAzh/QUo0YeN7pGJXbN1uukKsfBfw/YxUZBdWmMSVwUvfPYxkaSwMaQkuBIWrge9kxLSNdGORkn2KaaLaqhI/vU15654jcxON+fGr6ThSO4vUbwfiNjdobxYtDabiH+XsM3Wg1Hcicok+jLV6YqiBm97WapQehbHFvVu1emKogZve1pv/pBR+r8v0VO5V5aei7hZbyO5I1yFze7PaXGETEmXJ9hj0pAK/EB0NjoOorHB0tUXVa1vT58rl7D4J01u8e/ckhEDOmL4Uam9iLh8KDk6IXCiag3gZG7IoXSSHD4+e9cfYlm62W0mPgxPpZovN4wtFdHsUYXIJPEa6SAimPhzfvNIoXUoA6oYIPerSDdBXoYjN5DIVipoiePaZA7sY6Uqo18rAhhn56ZdC9h/2FWkWHqfC9LwNJ/8bGaycGV3sKxlRFkBqAOUoIKzEGOnBK1US4HQ1zjfwUsRveO7ouWz63JHiQB5m4tx9JGAVFy9nXn0nnnXhXz/H3Tq1UESbTID93bsrroMY8+fWYRCNABmHqi3InVQOUm8FqPojxjU86vb95HwD8BjimERr2pUFdW6+EKOSjtkYcwMCgqW9mJd67/RRcPDZm8yFyO+2dCuUZlF9iRyztbpyCtc9ZUhZewZxjrpCAOi02EYvS5DyABT2u/OSBzr6d9GOOc83d8YM8oDLipSiqByO7AqJh/LgkGaB+fZozu3k2UvYEf1Nur6I42YlQojMkoWov/UWFwM+4w2GTg7y34FzPUH7aQofICDy4fCITOzWiGokqzohNSetVwBgirGPtGhmc52KiKsGNDVj67K5eOQspepr/RSAg/uB4uGRuDegR/V95o76hzIcbiDwnH4iUII06o92OFNUOYknLE8qRf1blN1r1lZr3KxkUD+YUh9wB33OmFad0juH4uwM6ybJ3txkxK/FHFajDPyErzGoQiva7Cs8iXrWkTBBAw6t0g5+1+E4P3i9X7BxOp3bgIT+VqFBuEJzVgJZkaBUZz5W4SqCLh6RaSZN14vFipnlm+bZo7wDolG7m+QoBAfNse0LZuGCPdqSAxH0yuwrPIl61pEwvMPa47TblmLhOD94vV+wcdgKfOe8zZZBQbhCc1YCWZEBRBHMHCbbNC4ekWkmTdeLxYqZ5Zvm2aODwSjACe84dQQHzbHtC2bhyduBBgtf6pLsKzyJetaRMFPzIeWWodqw4Tg/eL1fsHE8cWyKh/56MEG4QnNWAlmR8in+boK8uokuHpFpJk3Xi8WKmeWb5tmjbCz1ivE1NGoEB82x7Qtm4QnLXAkm915x7Cs8iXrWkTAAOTLFqNemB+E4P3i9X7Bxrl2HLVhNHo5BuEJzVgJZkUA
Source: 0.0.svchost.exe.a40000.0.unpack, muyou.Lib/Class2.csBase64 encoded string: 'WukSahvSY+fDO9yR34nLogVaG6PAixnxTzAj2WdukigCKIjwfRJqPfkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5DYEPQ8zXQhym4ISW5ijPkHQan+8J6qt3+RLdQO2KzJhZy3oAoLbTV7iEMU2H55gAB1ryp+nn8Y2uw1zHkvwTHem/7kxRVQxMDMCdLKy0Rs9ewTHGdydPIYQNb51rmvlC5SRmRz1ukdMTvoWm96hnkJ6Kbmw4uFhvJQtPMfZfp2r5CdhrK1nYedpchTwVsvU5gGur82+DHXvG5+Y228yZx8cFEj+lDbDydRSAMHWXBl2T5N6dMD08KvIKttfGAbXGwsKrWsUg22KJ38SXDdpb+0zOJpZoxNJ7+QnYaytZ2Hl8D/TXTOLHbN9CGMM0S8uQ6EnIYBIMSD75CdhrK1nYeXNdDvclG7HmlbIZjuwxQp5hkz0qo4f2rS7ihAetK377YZM9KqOH9q35CdhrK1nYefkJ2GsrWdh5pgLv8jW4U8xom/IUE1QM6ims+e3VVRM/+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5VA44tmj2S6+JAeZqQpQ5yjsvtVvK2YURmwbLgSwb7pL5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5mlAFuuqI+j75CdhrK1nYefkJ2GsrWdh54DAEiwTSHZf5CdhrK1nYefkJ2GsrWdh54uZxmNR0PQSL0r0o3ElWTDtkQpYx95SzQLK8A3CRKn2B4UEP6YEdFvkJ2GsrWdh5+QnYaytZ2HmHHL/bGIzLLkN5+uTtSdWpW+kk92haeCeWjZkEWbDGPcM73JHficui6Etm368nEoP5CdhrK1nYefkJ2GsrWdh5xufmNtvMmcf8fITz/TaFUeWAgo7cx06vVA44tmj2S6/oSchgEgxIPgFfY8hueFxt+QnYaytZ2Hn5CdhrK1nYecbn5jbbzJnH39NBuNb8++f5CdhrK1nYefkJ2GsrWdh5jAvp3Evpgl35CdhrK1nYeUF12KCvHTG7W1hV1xK9LAjAw72WdKI83I5lX8MntaOwzAsTFyrF3+6s2sjyIgMIO/kJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2HmMK3Ck49ed16Myl57UQEudvI53aKsY5SzeUhtXSTWjn/KX3EavPqsJ9Lg56Tpt67Tw48RABl12buubowKTuW28UST68QvBlJEzZ/m0Ti8GpFQA0r/0zjRl6+ySgl+drswtwL7Hb2sac4DyCD2gZC7Y/TJvySL08DxKQuo9InjAvhXpUKVqSjS7F27+t9f7YNetFwpzTuP1rbqRC0PlULX8Y/+ScvZL3xOkyb7O9nvF55MmCVHeTFn42gpgPqFwOKEWQ0gd3slEreaXrnFIUH8GcRQI+nRSYqGPalxfQ1gm2OcWNEZ34JSbc3e2YX7aaNchsOx+VTFjZ32BeJPGFyegHAdATAtdCI081U0zbebW99kYKWFM1PmPBZdwK0rLAzh/QUo0YeN7pGJXbN1uukKsfBfw/YxUZBdWmMSVwUvfPYxkaSwMaQkuBIWrge9kxLSNdGORkn2KaaLaqhI/vU15654jcxON+fGr6ThSO4vUbwfiNjdobxYtDabiH+XsM3Wg1Hcicok+jLV6YqiBm97WapQehbHFvVu1emKogZve1pv/pBR+r8v0VO5V5aei7hZbyO5I1yFze7PaXGETEmXJ9hj0pAK/EB0NjoOorHB0tUXVa1vT58rl7D4J01u8e/ckhEDOmL4Uam9iLh8KDk6IXCiag3gZG7IoXSSHD4+e9cfYlm62W0mPgxPpZovN4wtFdHsUYXIJPEa6SAimPhzfvNIoXUoA6oYIPerSDdBXoYjN5DIVipoiePaZA7sY6Uqo18rAhhn56ZdC9h/2FWkWHqfC9LwNJ/8bGaycGV3sKxlRFkBqAOUoIKzEGOnBK1US4HQ1zjfwUsRveO7ouWz63JHiQB5m4tx9JGAVFy9nXn0nnnXhXz/H3Tq1UESbTID93bsrroMY8+fWYRCNABmHqi3InVQOUm8FqPojxjU86vb95HwD8BjimERr2pUFdW6+EKOSjtkYcwMCgqW9mJd67/RRcPDZm8yFyO+2dCuUZlF9iRyztbpyCtc9ZUhZewZxjrpCAOi02EYvS5DyABT2u/OSBzr6d9GOOc83d8YM8oDLipSiqByO7AqJh/LgkGaB+fZozu3k2UvYEf1Nur6I42YlQojMkoWov/UWFwM+4w2GTg7y34FzPUH7aQofICDy4fCITOzWiGokqzohNSetVwBgirGPtGhmc52KiKsGNDVj67K5eOQspepr/RSAg/uB4uGRuDegR/V95o76hzIcbiDwnH4iUII06o92OFNUOYknLE8qRf1blN1r1lZr3KxkUD+YUh9wB33OmFad0juH4uwM6ybJ3txkxK/FHFajDPyErzGoQiva7Cs8iXrWkTBBAw6t0g5+1+E4P3i9X7BxOp3bgIT+VqFBuEJzVgJZkaBUZz5W4SqCLh6RaSZN14vFipnlm+bZo7wDolG7m+QoBAfNse0LZuGCPdqSAxH0yuwrPIl61pEwvMPa47TblmLhOD94vV+wcdgKfOe8zZZBQbhCc1YCWZEBRBHMHCbbNC4ekWkmTdeLxYqZ5Zvm2aODwSjACe84dQQHzbHtC2bhyduBBgtf6pLsKzyJetaRMFPzIeWWodqw4Tg/eL1fsHE8cWyKh/56MEG4QnNWAlmR8in+boK8uokuHpFpJk3Xi8WKmeWb5tmjbCz1ivE1NGoEB82x7Qtm4QnLXAkm915x7Cs8iXrWkTAAOTLFqNemB+E4P3i9X7Bxrl2HLVhNHo5BuEJzVgJZkUA
Source: 0.2.svchost.exe.a40000.0.unpack, muyou.Lib/Class2.csBase64 encoded string: 'WukSahvSY+fDO9yR34nLogVaG6PAixnxTzAj2WdukigCKIjwfRJqPfkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5DYEPQ8zXQhym4ISW5ijPkHQan+8J6qt3+RLdQO2KzJhZy3oAoLbTV7iEMU2H55gAB1ryp+nn8Y2uw1zHkvwTHem/7kxRVQxMDMCdLKy0Rs9ewTHGdydPIYQNb51rmvlC5SRmRz1ukdMTvoWm96hnkJ6Kbmw4uFhvJQtPMfZfp2r5CdhrK1nYedpchTwVsvU5gGur82+DHXvG5+Y228yZx8cFEj+lDbDydRSAMHWXBl2T5N6dMD08KvIKttfGAbXGwsKrWsUg22KJ38SXDdpb+0zOJpZoxNJ7+QnYaytZ2Hl8D/TXTOLHbN9CGMM0S8uQ6EnIYBIMSD75CdhrK1nYeXNdDvclG7HmlbIZjuwxQp5hkz0qo4f2rS7ihAetK377YZM9KqOH9q35CdhrK1nYefkJ2GsrWdh5pgLv8jW4U8xom/IUE1QM6ims+e3VVRM/+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5VA44tmj2S6+JAeZqQpQ5yjsvtVvK2YURmwbLgSwb7pL5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5mlAFuuqI+j75CdhrK1nYefkJ2GsrWdh54DAEiwTSHZf5CdhrK1nYefkJ2GsrWdh54uZxmNR0PQSL0r0o3ElWTDtkQpYx95SzQLK8A3CRKn2B4UEP6YEdFvkJ2GsrWdh5+QnYaytZ2HmHHL/bGIzLLkN5+uTtSdWpW+kk92haeCeWjZkEWbDGPcM73JHficui6Etm368nEoP5CdhrK1nYefkJ2GsrWdh5xufmNtvMmcf8fITz/TaFUeWAgo7cx06vVA44tmj2S6/oSchgEgxIPgFfY8hueFxt+QnYaytZ2Hn5CdhrK1nYecbn5jbbzJnH39NBuNb8++f5CdhrK1nYefkJ2GsrWdh5jAvp3Evpgl35CdhrK1nYeUF12KCvHTG7W1hV1xK9LAjAw72WdKI83I5lX8MntaOwzAsTFyrF3+6s2sjyIgMIO/kJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2HmMK3Ck49ed16Myl57UQEudvI53aKsY5SzeUhtXSTWjn/KX3EavPqsJ9Lg56Tpt67Tw48RABl12buubowKTuW28UST68QvBlJEzZ/m0Ti8GpFQA0r/0zjRl6+ySgl+drswtwL7Hb2sac4DyCD2gZC7Y/TJvySL08DxKQuo9InjAvhXpUKVqSjS7F27+t9f7YNetFwpzTuP1rbqRC0PlULX8Y/+ScvZL3xOkyb7O9nvF55MmCVHeTFn42gpgPqFwOKEWQ0gd3slEreaXrnFIUH8GcRQI+nRSYqGPalxfQ1gm2OcWNEZ34JSbc3e2YX7aaNchsOx+VTFjZ32BeJPGFyegHAdATAtdCI081U0zbebW99kYKWFM1PmPBZdwK0rLAzh/QUo0YeN7pGJXbN1uukKsfBfw/YxUZBdWmMSVwUvfPYxkaSwMaQkuBIWrge9kxLSNdGORkn2KaaLaqhI/vU15654jcxON+fGr6ThSO4vUbwfiNjdobxYtDabiH+XsM3Wg1Hcicok+jLV6YqiBm97WapQehbHFvVu1emKogZve1pv/pBR+r8v0VO5V5aei7hZbyO5I1yFze7PaXGETEmXJ9hj0pAK/EB0NjoOorHB0tUXVa1vT58rl7D4J01u8e/ckhEDOmL4Uam9iLh8KDk6IXCiag3gZG7IoXSSHD4+e9cfYlm62W0mPgxPpZovN4wtFdHsUYXIJPEa6SAimPhzfvNIoXUoA6oYIPerSDdBXoYjN5DIVipoiePaZA7sY6Uqo18rAhhn56ZdC9h/2FWkWHqfC9LwNJ/8bGaycGV3sKxlRFkBqAOUoIKzEGOnBK1US4HQ1zjfwUsRveO7ouWz63JHiQB5m4tx9JGAVFy9nXn0nnnXhXz/H3Tq1UESbTID93bsrroMY8+fWYRCNABmHqi3InVQOUm8FqPojxjU86vb95HwD8BjimERr2pUFdW6+EKOSjtkYcwMCgqW9mJd67/RRcPDZm8yFyO+2dCuUZlF9iRyztbpyCtc9ZUhZewZxjrpCAOi02EYvS5DyABT2u/OSBzr6d9GOOc83d8YM8oDLipSiqByO7AqJh/LgkGaB+fZozu3k2UvYEf1Nur6I42YlQojMkoWov/UWFwM+4w2GTg7y34FzPUH7aQofICDy4fCITOzWiGokqzohNSetVwBgirGPtGhmc52KiKsGNDVj67K5eOQspepr/RSAg/uB4uGRuDegR/V95o76hzIcbiDwnH4iUII06o92OFNUOYknLE8qRf1blN1r1lZr3KxkUD+YUh9wB33OmFad0juH4uwM6ybJ3txkxK/FHFajDPyErzGoQiva7Cs8iXrWkTBBAw6t0g5+1+E4P3i9X7BxOp3bgIT+VqFBuEJzVgJZkaBUZz5W4SqCLh6RaSZN14vFipnlm+bZo7wDolG7m+QoBAfNse0LZuGCPdqSAxH0yuwrPIl61pEwvMPa47TblmLhOD94vV+wcdgKfOe8zZZBQbhCc1YCWZEBRBHMHCbbNC4ekWkmTdeLxYqZ5Zvm2aODwSjACe84dQQHzbHtC2bhyduBBgtf6pLsKzyJetaRMFPzIeWWodqw4Tg/eL1fsHE8cWyKh/56MEG4QnNWAlmR8in+boK8uokuHpFpJk3Xi8WKmeWb5tmjbCz1ivE1NGoEB82x7Qtm4QnLXAkm915x7Cs8iXrWkTAAOTLFqNemB+E4P3i9X7Bxrl2HLVhNHo5BuEJzVgJZkUA
Source: 8.2.svchost.exe.3c0000.0.unpack, muyou.Lib/Class2.csBase64 encoded string: 'WukSahvSY+fDO9yR34nLogVaG6PAixnxTzAj2WdukigCKIjwfRJqPfkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5DYEPQ8zXQhym4ISW5ijPkHQan+8J6qt3+RLdQO2KzJhZy3oAoLbTV7iEMU2H55gAB1ryp+nn8Y2uw1zHkvwTHem/7kxRVQxMDMCdLKy0Rs9ewTHGdydPIYQNb51rmvlC5SRmRz1ukdMTvoWm96hnkJ6Kbmw4uFhvJQtPMfZfp2r5CdhrK1nYedpchTwVsvU5gGur82+DHXvG5+Y228yZx8cFEj+lDbDydRSAMHWXBl2T5N6dMD08KvIKttfGAbXGwsKrWsUg22KJ38SXDdpb+0zOJpZoxNJ7+QnYaytZ2Hl8D/TXTOLHbN9CGMM0S8uQ6EnIYBIMSD75CdhrK1nYeXNdDvclG7HmlbIZjuwxQp5hkz0qo4f2rS7ihAetK377YZM9KqOH9q35CdhrK1nYefkJ2GsrWdh5pgLv8jW4U8xom/IUE1QM6ims+e3VVRM/+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5VA44tmj2S6+JAeZqQpQ5yjsvtVvK2YURmwbLgSwb7pL5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5mlAFuuqI+j75CdhrK1nYefkJ2GsrWdh54DAEiwTSHZf5CdhrK1nYefkJ2GsrWdh54uZxmNR0PQSL0r0o3ElWTDtkQpYx95SzQLK8A3CRKn2B4UEP6YEdFvkJ2GsrWdh5+QnYaytZ2HmHHL/bGIzLLkN5+uTtSdWpW+kk92haeCeWjZkEWbDGPcM73JHficui6Etm368nEoP5CdhrK1nYefkJ2GsrWdh5xufmNtvMmcf8fITz/TaFUeWAgo7cx06vVA44tmj2S6/oSchgEgxIPgFfY8hueFxt+QnYaytZ2Hn5CdhrK1nYecbn5jbbzJnH39NBuNb8++f5CdhrK1nYefkJ2GsrWdh5jAvp3Evpgl35CdhrK1nYeUF12KCvHTG7W1hV1xK9LAjAw72WdKI83I5lX8MntaOwzAsTFyrF3+6s2sjyIgMIO/kJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2HmMK3Ck49ed16Myl57UQEudvI53aKsY5SzeUhtXSTWjn/KX3EavPqsJ9Lg56Tpt67Tw48RABl12buubowKTuW28UST68QvBlJEzZ/m0Ti8GpFQA0r/0zjRl6+ySgl+drswtwL7Hb2sac4DyCD2gZC7Y/TJvySL08DxKQuo9InjAvhXpUKVqSjS7F27+t9f7YNetFwpzTuP1rbqRC0PlULX8Y/+ScvZL3xOkyb7O9nvF55MmCVHeTFn42gpgPqFwOKEWQ0gd3slEreaXrnFIUH8GcRQI+nRSYqGPalxfQ1gm2OcWNEZ34JSbc3e2YX7aaNchsOx+VTFjZ32BeJPGFyegHAdATAtdCI081U0zbebW99kYKWFM1PmPBZdwK0rLAzh/QUo0YeN7pGJXbN1uukKsfBfw/YxUZBdWmMSVwUvfPYxkaSwMaQkuBIWrge9kxLSNdGORkn2KaaLaqhI/vU15654jcxON+fGr6ThSO4vUbwfiNjdobxYtDabiH+XsM3Wg1Hcicok+jLV6YqiBm97WapQehbHFvVu1emKogZve1pv/pBR+r8v0VO5V5aei7hZbyO5I1yFze7PaXGETEmXJ9hj0pAK/EB0NjoOorHB0tUXVa1vT58rl7D4J01u8e/ckhEDOmL4Uam9iLh8KDk6IXCiag3gZG7IoXSSHD4+e9cfYlm62W0mPgxPpZovN4wtFdHsUYXIJPEa6SAimPhzfvNIoXUoA6oYIPerSDdBXoYjN5DIVipoiePaZA7sY6Uqo18rAhhn56ZdC9h/2FWkWHqfC9LwNJ/8bGaycGV3sKxlRFkBqAOUoIKzEGOnBK1US4HQ1zjfwUsRveO7ouWz63JHiQB5m4tx9JGAVFy9nXn0nnnXhXz/H3Tq1UESbTID93bsrroMY8+fWYRCNABmHqi3InVQOUm8FqPojxjU86vb95HwD8BjimERr2pUFdW6+EKOSjtkYcwMCgqW9mJd67/RRcPDZm8yFyO+2dCuUZlF9iRyztbpyCtc9ZUhZewZxjrpCAOi02EYvS5DyABT2u/OSBzr6d9GOOc83d8YM8oDLipSiqByO7AqJh/LgkGaB+fZozu3k2UvYEf1Nur6I42YlQojMkoWov/UWFwM+4w2GTg7y34FzPUH7aQofICDy4fCITOzWiGokqzohNSetVwBgirGPtGhmc52KiKsGNDVj67K5eOQspepr/RSAg/uB4uGRuDegR/V95o76hzIcbiDwnH4iUII06o92OFNUOYknLE8qRf1blN1r1lZr3KxkUD+YUh9wB33OmFad0juH4uwM6ybJ3txkxK/FHFajDPyErzGoQiva7Cs8iXrWkTBBAw6t0g5+1+E4P3i9X7BxOp3bgIT+VqFBuEJzVgJZkaBUZz5W4SqCLh6RaSZN14vFipnlm+bZo7wDolG7m+QoBAfNse0LZuGCPdqSAxH0yuwrPIl61pEwvMPa47TblmLhOD94vV+wcdgKfOe8zZZBQbhCc1YCWZEBRBHMHCbbNC4ekWkmTdeLxYqZ5Zvm2aODwSjACe84dQQHzbHtC2bhyduBBgtf6pLsKzyJetaRMFPzIeWWodqw4Tg/eL1fsHE8cWyKh/56MEG4QnNWAlmR8in+boK8uokuHpFpJk3Xi8WKmeWb5tmjbCz1ivE1NGoEB82x7Qtm4QnLXAkm915x7Cs8iXrWkTAAOTLFqNemB+E4P3i9X7Bxrl2HLVhNHo5BuEJzVgJZkUA
Source: 8.0.svchost.exe.3c0000.0.unpack, muyou.Lib/Class2.csBase64 encoded string: 'WukSahvSY+fDO9yR34nLogVaG6PAixnxTzAj2WdukigCKIjwfRJqPfkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5DYEPQ8zXQhym4ISW5ijPkHQan+8J6qt3+RLdQO2KzJhZy3oAoLbTV7iEMU2H55gAB1ryp+nn8Y2uw1zHkvwTHem/7kxRVQxMDMCdLKy0Rs9ewTHGdydPIYQNb51rmvlC5SRmRz1ukdMTvoWm96hnkJ6Kbmw4uFhvJQtPMfZfp2r5CdhrK1nYedpchTwVsvU5gGur82+DHXvG5+Y228yZx8cFEj+lDbDydRSAMHWXBl2T5N6dMD08KvIKttfGAbXGwsKrWsUg22KJ38SXDdpb+0zOJpZoxNJ7+QnYaytZ2Hl8D/TXTOLHbN9CGMM0S8uQ6EnIYBIMSD75CdhrK1nYeXNdDvclG7HmlbIZjuwxQp5hkz0qo4f2rS7ihAetK377YZM9KqOH9q35CdhrK1nYefkJ2GsrWdh5pgLv8jW4U8xom/IUE1QM6ims+e3VVRM/+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5VA44tmj2S6+JAeZqQpQ5yjsvtVvK2YURmwbLgSwb7pL5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5mlAFuuqI+j75CdhrK1nYefkJ2GsrWdh54DAEiwTSHZf5CdhrK1nYefkJ2GsrWdh54uZxmNR0PQSL0r0o3ElWTDtkQpYx95SzQLK8A3CRKn2B4UEP6YEdFvkJ2GsrWdh5+QnYaytZ2HmHHL/bGIzLLkN5+uTtSdWpW+kk92haeCeWjZkEWbDGPcM73JHficui6Etm368nEoP5CdhrK1nYefkJ2GsrWdh5xufmNtvMmcf8fITz/TaFUeWAgo7cx06vVA44tmj2S6/oSchgEgxIPgFfY8hueFxt+QnYaytZ2Hn5CdhrK1nYecbn5jbbzJnH39NBuNb8++f5CdhrK1nYefkJ2GsrWdh5jAvp3Evpgl35CdhrK1nYeUF12KCvHTG7W1hV1xK9LAjAw72WdKI83I5lX8MntaOwzAsTFyrF3+6s2sjyIgMIO/kJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2HmMK3Ck49ed16Myl57UQEudvI53aKsY5SzeUhtXSTWjn/KX3EavPqsJ9Lg56Tpt67Tw48RABl12buubowKTuW28UST68QvBlJEzZ/m0Ti8GpFQA0r/0zjRl6+ySgl+drswtwL7Hb2sac4DyCD2gZC7Y/TJvySL08DxKQuo9InjAvhXpUKVqSjS7F27+t9f7YNetFwpzTuP1rbqRC0PlULX8Y/+ScvZL3xOkyb7O9nvF55MmCVHeTFn42gpgPqFwOKEWQ0gd3slEreaXrnFIUH8GcRQI+nRSYqGPalxfQ1gm2OcWNEZ34JSbc3e2YX7aaNchsOx+VTFjZ32BeJPGFyegHAdATAtdCI081U0zbebW99kYKWFM1PmPBZdwK0rLAzh/QUo0YeN7pGJXbN1uukKsfBfw/YxUZBdWmMSVwUvfPYxkaSwMaQkuBIWrge9kxLSNdGORkn2KaaLaqhI/vU15654jcxON+fGr6ThSO4vUbwfiNjdobxYtDabiH+XsM3Wg1Hcicok+jLV6YqiBm97WapQehbHFvVu1emKogZve1pv/pBR+r8v0VO5V5aei7hZbyO5I1yFze7PaXGETEmXJ9hj0pAK/EB0NjoOorHB0tUXVa1vT58rl7D4J01u8e/ckhEDOmL4Uam9iLh8KDk6IXCiag3gZG7IoXSSHD4+e9cfYlm62W0mPgxPpZovN4wtFdHsUYXIJPEa6SAimPhzfvNIoXUoA6oYIPerSDdBXoYjN5DIVipoiePaZA7sY6Uqo18rAhhn56ZdC9h/2FWkWHqfC9LwNJ/8bGaycGV3sKxlRFkBqAOUoIKzEGOnBK1US4HQ1zjfwUsRveO7ouWz63JHiQB5m4tx9JGAVFy9nXn0nnnXhXz/H3Tq1UESbTID93bsrroMY8+fWYRCNABmHqi3InVQOUm8FqPojxjU86vb95HwD8BjimERr2pUFdW6+EKOSjtkYcwMCgqW9mJd67/RRcPDZm8yFyO+2dCuUZlF9iRyztbpyCtc9ZUhZewZxjrpCAOi02EYvS5DyABT2u/OSBzr6d9GOOc83d8YM8oDLipSiqByO7AqJh/LgkGaB+fZozu3k2UvYEf1Nur6I42YlQojMkoWov/UWFwM+4w2GTg7y34FzPUH7aQofICDy4fCITOzWiGokqzohNSetVwBgirGPtGhmc52KiKsGNDVj67K5eOQspepr/RSAg/uB4uGRuDegR/V95o76hzIcbiDwnH4iUII06o92OFNUOYknLE8qRf1blN1r1lZr3KxkUD+YUh9wB33OmFad0juH4uwM6ybJ3txkxK/FHFajDPyErzGoQiva7Cs8iXrWkTBBAw6t0g5+1+E4P3i9X7BxOp3bgIT+VqFBuEJzVgJZkaBUZz5W4SqCLh6RaSZN14vFipnlm+bZo7wDolG7m+QoBAfNse0LZuGCPdqSAxH0yuwrPIl61pEwvMPa47TblmLhOD94vV+wcdgKfOe8zZZBQbhCc1YCWZEBRBHMHCbbNC4ekWkmTdeLxYqZ5Zvm2aODwSjACe84dQQHzbHtC2bhyduBBgtf6pLsKzyJetaRMFPzIeWWodqw4Tg/eL1fsHE8cWyKh/56MEG4QnNWAlmR8in+boK8uokuHpFpJk3Xi8WKmeWb5tmjbCz1ivE1NGoEB82x7Qtm4QnLXAkm915x7Cs8iXrWkTAAOTLFqNemB+E4P3i9X7Bxrl2HLVhNHo5BuEJzVgJZkUA
Source: 10.2.svchost.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'TzHwS5yhFjNY+7zl9k8FDwWxOT0QsWNnCSpWCsdjDMRzLqymUjqS+lcJwv8dhmBXfHLlvGNWef/rZ/Qz0+fo3tb2vpKz5J+40ZW4pVruNXM=', 'P06fryhXV7mZ25LwIXKC+0ZMiapbIm0w41wNCXM4yGG6ndlAsLL7o/PBscFY84EsmyqTgwD981W/qAa7sDqD4w==', 'RyJ0SWh3OfQE6MsUXYC69iYPSbwROIuubGKCSzqDyEblzIv0a0rlRlr/T6u0rjIh8MR4lUPMLmKtUpIYdgpteRfE7LrXuoIIIrKDwP4edtlQB8zjgBGBeOVeqhFhKDiH5HKOMhpiATmF4NnM/WQ+h8Eco2hJL+XTBqfmu8FQBNaByWzmefxsecbvGfYyoQtBDXLXDcGSUMd17xTWlSN4gto1/ledr4oVL6V+GFcXJoG+fkulfGMz2Ku1R98JYmSLfBdkIxfc0AgEIBLONZCIR3IUJibWbJuBk2Ea2ut3bmiw5NEqx4iUCH//Nb9HJE4BYLsuFqSwdps+7LCyL2UncRS4leGcD/imbjrddgTGPj69XCP4gj6J1iszG3z7Cvt+8WKcHZX6/asnIrrsZmiAZA6tVpf1s+vCIy1K0Yt1DBcW2X35ySLkbefpoKiAUNhW4G/UTGKP0c45u2093FYqUpRjSlEWp+/mJDS+EkV+BpwA0myCt1t47iBwNMn4+LqVHe7eUHwmApdoUfIpxNLo03Ct17LJda9baszlaWnslk810wvKvqx9oxdlWhYyBMnLrUsnLQnvynpM6OAkF92Bl7Nd0Ocp0758u2qmgYqYHsGHXwn5WdxxrPtGpIJV6wqegFiNxm9pEpCBjsGzX1KUd3Dnsf8P3SO3rEKCVnyWDcWVhbMCL2TyClI5qJMChepKyk9tewQPFVPsoOUWe6ZrX7TSO3s/AaAV6DD7lHObcIFJv6Q681eYg8ptjUpsasYBiz/AQOD4NYS373R7KrkC18JAKrDnhpl5r1DrO4loJI3c5gc2LWCV/WMRkjF596jVVkdXRafUyuTnm1b20cZV/F4BTlpS5nVKDfA7pF3SFMFWQU0fijhrWpdwsV4zbe5sOct2y7NsGLEq+Zd/7OjIhoLofgJh8KA7w9UppcOsaxvspIZuEHLFftMHGjwCrFHlGU/6PrCjBXtB/5A500j46sxHNszElBwOZPOlR5iDUjG6h692PL+J4umYpdgOlmTtgzeSvfj+K/h3srplJvR4yCt0Y/PBbREwwgo8HBuz+6ndtfkpn+05J3tJG274MFwfAVF+LF9RF5mnX8KprUn3kEw98RFQhLUvWPpzeB1WIuj7cJ2v8hOa2FCk/lE0XrY6nkahIfhbT+7pvXW0ExwUZ02tFkqLl0hJ2TTXFPRkJ5t93yGZ3pKfsLrO1xLsgLqM70N3ZLJ2pCKY7vU9rMcIa+lA2mjWEurxiSiYHBPknxRrjHhKBHv7UTEFm6ABt5sN4SoukZZkWE1T8sBJc8xi/Zh8pC26cO3UySowCgd4ICwI4djluVbVueCudQj2Vq3b8Ulho9tiIQ25+tP1BNVU6+y1G1q2dzfLZWTwuorHHZ7M2aYz22gCzbmleCwQliO3WfghSmhb898pGgononA4I/ePrKbhnNaor4bln8mD+MhybaO/WoRyDJRR5c2o4tcfP00nT03MkC8wxKqQWxssKQOz7m+HvJxJH9eB+U6sPHIsWy4jZYG1CQd1pQpyZ/bONiUXhAmPcxXoK2nZ3KIiFvLsVK5v+6clft2/RJuim3H0acK+PhrHR6KCeDcNmoxhIoTVy8PvEZeBiibvzJAyI2cfg4iHbISyUzdd7dy7ywyw6E0/yGkRomk1Vvz1lF2r6R8nhBZXk8o1Bt0HHBWwXExjycLldFRuZz/iUFyC2GxC+alVxmWynauDYOdRGlIkiKHXV3eRmY1lBptv46vDs1Ead70bJmdmfUjv8FCji36wr8A4dqayKRVcXELf0uA4a0qWXiiLKzeMD13F4rREE5GCu8+yVcfpCcoSJdTLwg8mhW2hGdTEZ0Owi39UefEKLCZYanvV5LigvCOAVE3FhV153Jqky6YlfOCiwT08AMRKmuApsb/iIXdDuFjf/dd7+DnNU8A0Cd4GSHY57NNfJpw9YdDFXKRusG+NQ6xAC77veFXMCBWZwVIC6DLkPIOffMuTKW+tN4LcKZsPmcIzy2xLWLfHfBwMf5RFvw9ylh4bS4YjQofsRrQc5lmIqcvOFqJM5s5hejtGBuy1z/GnIOecrUnweWBGSnXLykfyHHkaXko633j8k+rrpNV4rPZEmKuqqwdq3m6tlg7xuvwzpq3RwfgSv21SVJKyjOoTOsio/6XeYG4Cs2MVdwMwhlYPjPisrQL9znhJDDB00I9yfAD1hRu+Fohr99CNwxDn8RlQC3iMsjWNxcI/IJ2zdzksGaI70Pb6iHSQdPb/ZpWkaHHJyA/CYdrpSGJqVCjy7z56YdQhflnJQkis+5agJMocLPfmGd0t+30ZkYn1SWcynEB/DdChBtwPBL7uDICHXeE=', 'Z0fnfz2WX3GOiEHemNjkFdCvFcG+yc8jgKC9Vlk/blwezDWJyl5XVClgVjN9WIqX35W9Wx27FBx6Qn2XcVbRR1TnHPVGBKkFizHJbX7/hoFY6VSvmX6ZIT/Pey5LU3CKVdjq9figUPxA2x0yEUNFxYKUdp9rm+OfaxkvYmIOCcvYyLzQptKjcLazPT7Pd428zVpfqeU7JKTeN9UrYI0HplY+e2/u0hRegA/y4nIDVNRlEf5XxZ7awh6YBb8ii2BIz+jNJoZOUXk0rId6DvgoE0B7V0+Ay1BZvs0HvIsFbNpxo8sdVSHsQUql/vlO9IipTkmCv5lH0FxvnBCbC1iBQqD4FB+uxQnaxNwfRj3WgIVhB5m5tWJEfsHMvWzO+DMuDYBZMN2rjsKPpc/tXBslHbxK97OYv+eC2kOhOwu7eXW/FVGqnzVSnooasUl
Source: 10.2.svchost.exe.4e0000.1.unpack, muyou.Lib/Class2.csBase64 encoded string: 'WukSahvSY+fDO9yR34nLogVaG6PAixnxTzAj2WdukigCKIjwfRJqPfkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5DYEPQ8zXQhym4ISW5ijPkHQan+8J6qt3+RLdQO2KzJhZy3oAoLbTV7iEMU2H55gAB1ryp+nn8Y2uw1zHkvwTHem/7kxRVQxMDMCdLKy0Rs9ewTHGdydPIYQNb51rmvlC5SRmRz1ukdMTvoWm96hnkJ6Kbmw4uFhvJQtPMfZfp2r5CdhrK1nYedpchTwVsvU5gGur82+DHXvG5+Y228yZx8cFEj+lDbDydRSAMHWXBl2T5N6dMD08KvIKttfGAbXGwsKrWsUg22KJ38SXDdpb+0zOJpZoxNJ7+QnYaytZ2Hl8D/TXTOLHbN9CGMM0S8uQ6EnIYBIMSD75CdhrK1nYeXNdDvclG7HmlbIZjuwxQp5hkz0qo4f2rS7ihAetK377YZM9KqOH9q35CdhrK1nYefkJ2GsrWdh5pgLv8jW4U8xom/IUE1QM6ims+e3VVRM/+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5VA44tmj2S6+JAeZqQpQ5yjsvtVvK2YURmwbLgSwb7pL5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5mlAFuuqI+j75CdhrK1nYefkJ2GsrWdh54DAEiwTSHZf5CdhrK1nYefkJ2GsrWdh54uZxmNR0PQSL0r0o3ElWTDtkQpYx95SzQLK8A3CRKn2B4UEP6YEdFvkJ2GsrWdh5+QnYaytZ2HmHHL/bGIzLLkN5+uTtSdWpW+kk92haeCeWjZkEWbDGPcM73JHficui6Etm368nEoP5CdhrK1nYefkJ2GsrWdh5xufmNtvMmcf8fITz/TaFUeWAgo7cx06vVA44tmj2S6/oSchgEgxIPgFfY8hueFxt+QnYaytZ2Hn5CdhrK1nYecbn5jbbzJnH39NBuNb8++f5CdhrK1nYefkJ2GsrWdh5jAvp3Evpgl35CdhrK1nYeUF12KCvHTG7W1hV1xK9LAjAw72WdKI83I5lX8MntaOwzAsTFyrF3+6s2sjyIgMIO/kJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2HmMK3Ck49ed16Myl57UQEudvI53aKsY5SzeUhtXSTWjn/KX3EavPqsJ9Lg56Tpt67Tw48RABl12buubowKTuW28UST68QvBlJEzZ/m0Ti8GpFQA0r/0zjRl6+ySgl+drswtwL7Hb2sac4DyCD2gZC7Y/TJvySL08DxKQuo9InjAvhXpUKVqSjS7F27+t9f7YNetFwpzTuP1rbqRC0PlULX8Y/+ScvZL3xOkyb7O9nvF55MmCVHeTFn42gpgPqFwOKEWQ0gd3slEreaXrnFIUH8GcRQI+nRSYqGPalxfQ1gm2OcWNEZ34JSbc3e2YX7aaNchsOx+VTFjZ32BeJPGFyegHAdATAtdCI081U0zbebW99kYKWFM1PmPBZdwK0rLAzh/QUo0YeN7pGJXbN1uukKsfBfw/YxUZBdWmMSVwUvfPYxkaSwMaQkuBIWrge9kxLSNdGORkn2KaaLaqhI/vU15654jcxON+fGr6ThSO4vUbwfiNjdobxYtDabiH+XsM3Wg1Hcicok+jLV6YqiBm97WapQehbHFvVu1emKogZve1pv/pBR+r8v0VO5V5aei7hZbyO5I1yFze7PaXGETEmXJ9hj0pAK/EB0NjoOorHB0tUXVa1vT58rl7D4J01u8e/ckhEDOmL4Uam9iLh8KDk6IXCiag3gZG7IoXSSHD4+e9cfYlm62W0mPgxPpZovN4wtFdHsUYXIJPEa6SAimPhzfvNIoXUoA6oYIPerSDdBXoYjN5DIVipoiePaZA7sY6Uqo18rAhhn56ZdC9h/2FWkWHqfC9LwNJ/8bGaycGV3sKxlRFkBqAOUoIKzEGOnBK1US4HQ1zjfwUsRveO7ouWz63JHiQB5m4tx9JGAVFy9nXn0nnnXhXz/H3Tq1UESbTID93bsrroMY8+fWYRCNABmHqi3InVQOUm8FqPojxjU86vb95HwD8BjimERr2pUFdW6+EKOSjtkYcwMCgqW9mJd67/RRcPDZm8yFyO+2dCuUZlF9iRyztbpyCtc9ZUhZewZxjrpCAOi02EYvS5DyABT2u/OSBzr6d9GOOc83d8YM8oDLipSiqByO7AqJh/LgkGaB+fZozu3k2UvYEf1Nur6I42YlQojMkoWov/UWFwM+4w2GTg7y34FzPUH7aQofICDy4fCITOzWiGokqzohNSetVwBgirGPtGhmc52KiKsGNDVj67K5eOQspepr/RSAg/uB4uGRuDegR/V95o76hzIcbiDwnH4iUII06o92OFNUOYknLE8qRf1blN1r1lZr3KxkUD+YUh9wB33OmFad0juH4uwM6ybJ3txkxK/FHFajDPyErzGoQiva7Cs8iXrWkTBBAw6t0g5+1+E4P3i9X7BxOp3bgIT+VqFBuEJzVgJZkaBUZz5W4SqCLh6RaSZN14vFipnlm+bZo7wDolG7m+QoBAfNse0LZuGCPdqSAxH0yuwrPIl61pEwvMPa47TblmLhOD94vV+wcdgKfOe8zZZBQbhCc1YCWZEBRBHMHCbbNC4ekWkmTdeLxYqZ5Zvm2aODwSjACe84dQQHzbHtC2bhyduBBgtf6pLsKzyJetaRMFPzIeWWodqw4Tg/eL1fsHE8cWyKh/56MEG4QnNWAlmR8in+boK8uokuHpFpJk3Xi8WKmeWb5tmjbCz1ivE1NGoEB82x7Qtm4QnLXAkm915x7Cs8iXrWkTAAOTLFqNemB+E4P3i9X7Bxrl2HLVhNHo5BuEJzVgJZkUA
Source: 10.0.svchost.exe.4e0000.0.unpack, muyou.Lib/Class2.csBase64 encoded string: 'WukSahvSY+fDO9yR34nLogVaG6PAixnxTzAj2WdukigCKIjwfRJqPfkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5DYEPQ8zXQhym4ISW5ijPkHQan+8J6qt3+RLdQO2KzJhZy3oAoLbTV7iEMU2H55gAB1ryp+nn8Y2uw1zHkvwTHem/7kxRVQxMDMCdLKy0Rs9ewTHGdydPIYQNb51rmvlC5SRmRz1ukdMTvoWm96hnkJ6Kbmw4uFhvJQtPMfZfp2r5CdhrK1nYedpchTwVsvU5gGur82+DHXvG5+Y228yZx8cFEj+lDbDydRSAMHWXBl2T5N6dMD08KvIKttfGAbXGwsKrWsUg22KJ38SXDdpb+0zOJpZoxNJ7+QnYaytZ2Hl8D/TXTOLHbN9CGMM0S8uQ6EnIYBIMSD75CdhrK1nYeXNdDvclG7HmlbIZjuwxQp5hkz0qo4f2rS7ihAetK377YZM9KqOH9q35CdhrK1nYefkJ2GsrWdh5pgLv8jW4U8xom/IUE1QM6ims+e3VVRM/+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5VA44tmj2S6+JAeZqQpQ5yjsvtVvK2YURmwbLgSwb7pL5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5mlAFuuqI+j75CdhrK1nYefkJ2GsrWdh54DAEiwTSHZf5CdhrK1nYefkJ2GsrWdh54uZxmNR0PQSL0r0o3ElWTDtkQpYx95SzQLK8A3CRKn2B4UEP6YEdFvkJ2GsrWdh5+QnYaytZ2HmHHL/bGIzLLkN5+uTtSdWpW+kk92haeCeWjZkEWbDGPcM73JHficui6Etm368nEoP5CdhrK1nYefkJ2GsrWdh5xufmNtvMmcf8fITz/TaFUeWAgo7cx06vVA44tmj2S6/oSchgEgxIPgFfY8hueFxt+QnYaytZ2Hn5CdhrK1nYecbn5jbbzJnH39NBuNb8++f5CdhrK1nYefkJ2GsrWdh5jAvp3Evpgl35CdhrK1nYeUF12KCvHTG7W1hV1xK9LAjAw72WdKI83I5lX8MntaOwzAsTFyrF3+6s2sjyIgMIO/kJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2Hn5CdhrK1nYefkJ2GsrWdh5+QnYaytZ2HmMK3Ck49ed16Myl57UQEudvI53aKsY5SzeUhtXSTWjn/KX3EavPqsJ9Lg56Tpt67Tw48RABl12buubowKTuW28UST68QvBlJEzZ/m0Ti8GpFQA0r/0zjRl6+ySgl+drswtwL7Hb2sac4DyCD2gZC7Y/TJvySL08DxKQuo9InjAvhXpUKVqSjS7F27+t9f7YNetFwpzTuP1rbqRC0PlULX8Y/+ScvZL3xOkyb7O9nvF55MmCVHeTFn42gpgPqFwOKEWQ0gd3slEreaXrnFIUH8GcRQI+nRSYqGPalxfQ1gm2OcWNEZ34JSbc3e2YX7aaNchsOx+VTFjZ32BeJPGFyegHAdATAtdCI081U0zbebW99kYKWFM1PmPBZdwK0rLAzh/QUo0YeN7pGJXbN1uukKsfBfw/YxUZBdWmMSVwUvfPYxkaSwMaQkuBIWrge9kxLSNdGORkn2KaaLaqhI/vU15654jcxON+fGr6ThSO4vUbwfiNjdobxYtDabiH+XsM3Wg1Hcicok+jLV6YqiBm97WapQehbHFvVu1emKogZve1pv/pBR+r8v0VO5V5aei7hZbyO5I1yFze7PaXGETEmXJ9hj0pAK/EB0NjoOorHB0tUXVa1vT58rl7D4J01u8e/ckhEDOmL4Uam9iLh8KDk6IXCiag3gZG7IoXSSHD4+e9cfYlm62W0mPgxPpZovN4wtFdHsUYXIJPEa6SAimPhzfvNIoXUoA6oYIPerSDdBXoYjN5DIVipoiePaZA7sY6Uqo18rAhhn56ZdC9h/2FWkWHqfC9LwNJ/8bGaycGV3sKxlRFkBqAOUoIKzEGOnBK1US4HQ1zjfwUsRveO7ouWz63JHiQB5m4tx9JGAVFy9nXn0nnnXhXz/H3Tq1UESbTID93bsrroMY8+fWYRCNABmHqi3InVQOUm8FqPojxjU86vb95HwD8BjimERr2pUFdW6+EKOSjtkYcwMCgqW9mJd67/RRcPDZm8yFyO+2dCuUZlF9iRyztbpyCtc9ZUhZewZxjrpCAOi02EYvS5DyABT2u/OSBzr6d9GOOc83d8YM8oDLipSiqByO7AqJh/LgkGaB+fZozu3k2UvYEf1Nur6I42YlQojMkoWov/UWFwM+4w2GTg7y34FzPUH7aQofICDy4fCITOzWiGokqzohNSetVwBgirGPtGhmc52KiKsGNDVj67K5eOQspepr/RSAg/uB4uGRuDegR/V95o76hzIcbiDwnH4iUII06o92OFNUOYknLE8qRf1blN1r1lZr3KxkUD+YUh9wB33OmFad0juH4uwM6ybJ3txkxK/FHFajDPyErzGoQiva7Cs8iXrWkTBBAw6t0g5+1+E4P3i9X7BxOp3bgIT+VqFBuEJzVgJZkaBUZz5W4SqCLh6RaSZN14vFipnlm+bZo7wDolG7m+QoBAfNse0LZuGCPdqSAxH0yuwrPIl61pEwvMPa47TblmLhOD94vV+wcdgKfOe8zZZBQbhCc1YCWZEBRBHMHCbbNC4ekWkmTdeLxYqZ5Zvm2aODwSjACe84dQQHzbHtC2bhyduBBgtf6pLsKzyJetaRMFPzIeWWodqw4Tg/eL1fsHE8cWyKh/56MEG4QnNWAlmR8in+boK8uokuHpFpJk3Xi8WKmeWb5tmjbCz1ivE1NGoEB82x7Qtm4QnLXAkm915x7Cs8iXrWkTAAOTLFqNemB+E4P3i9X7Bxrl2HLVhNHo5BuEJzVgJZkUA
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@30/1
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\svchost.exeFile created: C:\Users\user\AppData\Roaming\USNizoLckoTtei.exeJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\IpnAoDtlqZSYTuwQGjkZSskdp
Source: C:\Users\user\Desktop\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\vnsiwikbbec
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4076:120:WilError_01
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF42D.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: svchost.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Source: C:\Users\user\Desktop\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2756
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5116
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2948
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4720
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4124
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4120
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 376
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2344
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4760
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2928
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2336
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 560
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2132
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2208
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1732
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2912
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 940
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 544
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2512
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2708
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 736
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2504
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3284
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3872
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3280
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3664
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4052
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1492
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 900
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1332
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 696
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2468
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 292
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2064
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3440
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 680
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 88
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 672
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3552
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 468
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2632
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4204
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2232
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1440
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 60
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 452
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4980
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1240
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2416
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 248
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 944
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4972
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4772
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4968
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1420
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 592
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1608
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2000
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1800
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1404
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 812
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1204
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1196
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 996
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1188
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2168
Source: C:\Users\user\Desktop\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 0
Reads ini filesShow sources
Source: C:\Users\user\Desktop\svchost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: svchost.exeVirustotal: Detection: 76%
Source: svchost.exeReversingLabs: Detection: 83%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\svchost.exeFile read: C:\Users\user\Desktop\svchost.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\svchost.exe 'C:\Users\user\Desktop\svchost.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\USNizoLckoTtei' /XML 'C:\Users\user\AppData\Local\Temp\tmpF42D.tmp'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\Desktop\svchost.exe {path}
Source: unknownProcess created: C:\Users\user\Desktop\svchost.exe {path}
Source: C:\Users\user\Desktop\svchost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\USNizoLckoTtei' /XML 'C:\Users\user\AppData\Local\Temp\tmpF42D.tmp'
Source: C:\Users\user\Desktop\svchost.exeProcess created: C:\Users\user\Desktop\svchost.exe {path}
Source: C:\Users\user\Desktop\svchost.exeProcess created: C:\Users\user\Desktop\svchost.exe {path}
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\svchost.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
PE file contains a COM descriptor data directoryShow sources
Source: svchost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: svchost.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb<^V^ H^_CorDllMainmscoree.dll source: svchost.exe, 00000000.00000002.804490220.0000000007800000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: svchost.exe, 00000000.00000002.804490220.0000000007800000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_0569F810 push eax; iretd
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_057A9720 push 000000C3h; ret
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C6124F push ebx; iretd
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07C620A3 push esi; iretd
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_07DFE272 push eax; retf
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.11642886575
Source: initial sampleStatic PE information: section name: .text entropy: 7.11642886575

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\svchost.exeFile created: C:\Users\user\AppData\Roaming\USNizoLckoTtei.exeJump to dropped file

Boot Survival:

barindex
Yara detected AsyncRATShow sources
Source: Yara matchFile source: 0000000A.00000002.1175645217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.789689104.00000000031FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2336, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1628, type: MEMORY
Source: Yara matchFile source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\USNizoLckoTtei' /XML 'C:\Users\user\AppData\Local\Temp\tmpF42D.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\svchost.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3Show sources
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1628, type: MEMORY
Yara detected AsyncRATShow sources
Source: Yara matchFile source: 0000000A.00000002.1175645217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.789689104.00000000031FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2336, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1628, type: MEMORY
Source: Yara matchFile source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: svchost.exe, 00000000.00000002.788390225.0000000003160000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: svchost.exe, 00000000.00000002.789689104.00000000031FD000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.1175645217.0000000000402000.00000040.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\svchost.exeThread delayed: delay time: 922337203685477
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\svchost.exe TID: 860Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\svchost.exeLast function: Thread delayed
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\svchost.exeFile Volume queried: C:\ FullSizeInformation
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: svchost.exe, 00000000.00000002.788390225.0000000003160000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II,SOFTWARE\Microsoft\Windows Defender\Features
Source: svchost.exe, 0000000A.00000002.1181469194.00000000058A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 0000000A.00000002.1175645217.0000000000402000.00000040.00000001.sdmpBinary or memory string: vmware
Source: svchost.exe, 00000000.00000002.788390225.0000000003160000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost.exe, 00000000.00000002.788390225.0000000003160000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 00000000.00000002.788390225.0000000003160000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: svchost.exe, 00000000.00000002.788390225.0000000003160000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost.exe, 0000000A.00000002.1181469194.00000000058A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 0000000A.00000002.1181469194.00000000058A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000000.00000002.788390225.0000000003160000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: svchost.exe, 00000000.00000002.788390225.0000000003160000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: svchost.exe, 00000000.00000002.788390225.0000000003160000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: svchost.exe, 0000000A.00000002.1181063887.0000000005300000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll _;
Source: svchost.exe, 0000000A.00000002.1181469194.00000000058A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\svchost.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\svchost.exeCode function: 10_2_051212B0 LdrInitializeThunk,
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\svchost.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\svchost.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\svchost.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Users\user\Desktop\svchost.exeNetwork Connect: 192.169.69.25 8808
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\svchost.exeMemory written: C:\Users\user\Desktop\svchost.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\svchost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\USNizoLckoTtei' /XML 'C:\Users\user\AppData\Local\Temp\tmpF42D.tmp'
Source: C:\Users\user\Desktop\svchost.exeProcess created: C:\Users\user\Desktop\svchost.exe {path}
Source: C:\Users\user\Desktop\svchost.exeProcess created: C:\Users\user\Desktop\svchost.exe {path}
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: svchost.exe, 0000000A.00000002.1177128923.0000000001690000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: svchost.exe, 0000000A.00000002.1177128923.0000000001690000.00000002.00000001.sdmpBinary or memory string: Progman
Source: svchost.exe, 0000000A.00000002.1177128923.0000000001690000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: svchost.exe, 0000000A.00000002.1177128923.0000000001690000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Users\user\Desktop\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\svchost.exeQueries volume information: C:\Users\user\Desktop\svchost.exe VolumeInformation
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Yara detected AsyncRATShow sources
Source: Yara matchFile source: 0000000A.00000002.1175645217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.789689104.00000000031FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2336, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1628, type: MEMORY
Source: Yara matchFile source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
svchost.exe76%VirustotalBrowse
svchost.exe83%ReversingLabsByteCode-MSIL.Trojan.Kryptik
svchost.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\USNizoLckoTtei.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\USNizoLckoTtei.exe76%VirustotalBrowse
C:\Users\user\AppData\Roaming\USNizoLckoTtei.exe83%ReversingLabsByteCode-MSIL.Trojan.Kryptik

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
10.2.svchost.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

Domains

SourceDetectionScannerLabelLink
babyboyhammer2.duckdns.org0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe1%VirustotalBrowse
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.tiro.com0%VirustotalBrowse
http://www.tiro.com0%URL Reputationsafe
http://www.founder.com.cn/cnto0%Avira URL Cloudsafe
http://www.founder.com.cn/cnn-us0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%VirustotalBrowse
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.zhongyicts.com.cnhttp://www.zhongyicts.com.cn0%Avira URL Cloudsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%VirustotalBrowse
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.founder.com.cn/cn/0%VirustotalBrowse
http://www.founder.com.cn/cn/0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cnh50%Avira URL Cloudsafe
http://fontfabrik.com0%VirustotalBrowse
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%VirustotalBrowse
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cnm0%URL Reputationsafe
http://www.sandoll.co.krs-czrm0%Avira URL Cloudsafe
http://www.founder.com.cn/cnoft.com/typography/fonts)0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.mn-use.0%Avira URL Cloudsafe
http://www.sandoll.co.kror0%Avira URL Cloudsafe
http://ww.micro0%Avira URL Cloudsafe
http://www.zhongyicts.com.cno.0%URL Reputationsafe
http://www.ascendercorp.com/typedesigners.html0%VirustotalBrowse
http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
http://www.sandoll.co.kr0%VirustotalBrowse
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.zhongyicts.com.cn0%VirustotalBrowse
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%VirustotalBrowse
http://www.sakkal.com0%URL Reputationsafe
http://www.founder.com.cn/cn)0%Avira URL Cloudsafe
http://www.founder.com.cn/cnh0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1175645217.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000000.00000002.789689104.00000000031FD000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      Process Memory Space: svchost.exe PID: 2336JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        Process Memory Space: svchost.exe PID: 1628JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: svchost.exe PID: 1628JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.svchost.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\USNizoLckoTtei' /XML 'C:\Users\user\AppData\Local\Temp\tmpF42D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\USNizoLckoTtei' /XML 'C:\Users\user\AppData\Local\Temp\tmpF42D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\svchost.exe' , ParentImage: C:\Users\user\Desktop\svchost.exe, ParentProcessId: 1628, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\USNizoLckoTtei' /XML 'C:\Users\user\AppData\Local\Temp\tmpF42D.tmp', ProcessId: 2992
              Sigma detected: System File Execution Location AnomalyShow sources
              Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\svchost.exe, NewProcessName: C:\Users\user\Desktop\svchost.exe, OriginalFileName: C:\Users\user\Desktop\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\svchost.exe' , ParentImage: C:\Users\user\Desktop\svchost.exe, ParentProcessId: 1628, ProcessCommandLine: {path}, ProcessId: 2428
              Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
              Source: Process startedAuthor: vburov: Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\svchost.exe, NewProcessName: C:\Users\user\Desktop\svchost.exe, OriginalFileName: C:\Users\user\Desktop\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\svchost.exe' , ParentImage: C:\Users\user\Desktop\svchost.exe, ParentProcessId: 1628, ProcessCommandLine: {path}, ProcessId: 2428

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              192.169.69.25https://cdn.discordapp.com/attachments/692273473430749187/695380419897458718/RFQ.tar.gzGet hashmaliciousBrowse
              • pluginsrv2.duckdns.org:8000/is-ready
              http://systemserverrootmapforfiletrn.duckdns.org/explorer/black.exeGet hashmaliciousBrowse
              • systemserverrootmapforfiletrn.duckdns.org/explorer/black.exe
              help.wsfGet hashmaliciousBrowse
              • postventa-vodafone.duckdns.org/is-ready
              order.xlsxGet hashmaliciousBrowse
              • windowsfirewallsecurityauthorise.duckdns.org/big/svch.html
              order.xlsxGet hashmaliciousBrowse
              • windowsfirewallsecurityauthorise.duckdns.org/big/svch.html
              54RFQ EU (190926) CRYPTED.jsGet hashmaliciousBrowse
              • pluginsrv1.duckdns.org:7757/is-ready
              5Hb61XJTf8.jarGet hashmaliciousBrowse
              • pluginsrv1.duckdns.org:7757/is-ready
              5Hb61XJTf8.jarGet hashmaliciousBrowse
              • pluginsrv1.duckdns.org:7757/is-ready
              9QUOTE Request BH7 297745.jsGet hashmaliciousBrowse
              • pluginsrv1.duckdns.org:7757/is-ready
              50Purchase Receipt.jsGet hashmaliciousBrowse
              • pluginsrv1.duckdns.org:7757/is-ready

              Domains

              No context

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              unknownD6I03EPkny.dllGet hashmaliciousBrowse
              • 151.101.2.49
              No_756316.xlsGet hashmaliciousBrowse
              • 52.114.132.34
              https://www.afboxmarket.com/CompanyReportList.exeGet hashmaliciousBrowse
              • 64.34.67.250
              arm7Get hashmaliciousBrowse
              • 79.84.110.9
              form_998320.xlsGet hashmaliciousBrowse
              • 52.114.75.78
              https://sgakqqo.ga/Secured/Get hashmaliciousBrowse
              • 104.16.132.229
              form_998320.xlsGet hashmaliciousBrowse
              • 142.93.221.151
              http://kabderrick.skmbugagroup.com/feature/715173.zipGet hashmaliciousBrowse
              • 104.219.248.64
              https://www.almakaan.com/Preview_Employee_Report.exeGet hashmaliciousBrowse
              • 192.3.193.199
              17-04-2020-608161.xlsGet hashmaliciousBrowse
              • 52.114.132.20
              17-04-2020-608161.xlsGet hashmaliciousBrowse
              • 142.93.221.151
              https://1drv.ms/u/s!Auv3ts8k9X7RcPmHsDGNTX8239A?e=fgdURWGet hashmaliciousBrowse
              • 104.16.132.229
              Preview_Employee_Report.exeGet hashmaliciousBrowse
              • 192.3.193.199
              https://www.almakaan.com/Preview_Employee_Report.exeGet hashmaliciousBrowse
              • 192.3.193.199
              http://104.148.124.120/443Get hashmaliciousBrowse
              • 52.17.223.107
              enc.xlsGet hashmaliciousBrowse
              • 52.114.88.28
              enc.xlsGet hashmaliciousBrowse
              • 192.168.2.255
              app-prod-release.apkGet hashmaliciousBrowse
              • 185.199.109.153
              https://slack-redir.net/link?url=https://novelstraw.com/wav/grace.ann.nordin@windstream.comGet hashmaliciousBrowse
              • 13.82.86.76
              https://slack-redir.net/link?url=https://novelstraw.com/wav/grace.ann.nordin@windstream.com&data=02%7C01%7Cgrace.ann.nordin@windstream.com%7C94f1fcb5fe9349f3e48808d7e2e00240%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C1%7C1%7C637227324057488135&sdata=ViNaDPMKq+Hb22ofs463Tji01hNy/5XAWbFmBTKOBJI=&reserved=0Get hashmaliciousBrowse
              • 13.82.86.76

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              C:\Users\user\AppData\Roaming\USNizoLckoTtei.exehttps://www.chipmarkets.com//vendor/phpunit/phpunit/src/Util/PHP/admin/svchost.exeGet hashmaliciousBrowse

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not