Play interactive tour

Edit tour

Analysis Report svchost[1].exe

Overview

General Information

Sample Name:	svchost[1].exe
Analysis ID:	383988
MD5:	f31b0e7d038ed9d64be2c6ef94fa5171
SHA1:	a4311ea256fb28fa7815249f43c903641c7114da
SHA256:	30865d42d9897a6611df8683bc041836794cf6d7ee47763281fbed0f063a7c8e
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

svchost[1].exe (PID: 6956 cmdline: 'C:\Users\user\Desktop\svchost[1].exe' MD5: F31B0E7D038ED9D64BE2C6EF94FA5171)

svchost[1].exe (PID: 5872 cmdline: C:\Users\user\Desktop\svchost[1].exe MD5: F31B0E7D038ED9D64BE2C6EF94FA5171)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "helio@lpsinvest.comz6~Rhjss*B0}smtp.lpsinvest.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.667204898.0000000003C5A000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: svchost[1].exe PID: 5872	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: svchost[1].exe PID: 5872	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost[1].exe PID: 6956	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: svchost[1].exe PID: 6956	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.svchost[1].exe.3c80048.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.svchost[1].exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.svchost[1].exe.3b49d80.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.svchost[1].exe.3b49d80.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.svchost[1].exe.3b49d80.3.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "helio@lpsinvest.comz6~Rhjss*B0}smtp.lpsinvest.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: svchost[1].exe	Virustotal: Detection: 15%			Perma Link
Source: svchost[1].exe	ReversingLabs: Detection: 16%

Machine Learning detection for sample

Show sources

Source: svchost[1].exe

Joe Sandbox ML: detected

Source: 5.2.svchost[1].exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: svchost[1].exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: svchost[1].exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04AA8160
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04AA9680
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04AA9670
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04AA8151
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04AA8214

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 5.10.29.169:587

Source: global traffic

TCP traffic: 192.168.2.4:49764 -> 5.10.29.169:587

Source: Joe Sandbox View

IP Address: 5.10.29.169 5.10.29.169

Source: Joe Sandbox View

ASN Name: EVEREST-ASGB EVEREST-ASGB

Source: global traffic

TCP traffic: 192.168.2.4:49764 -> 5.10.29.169:587

Source: unknown

DNS traffic detected: queries for: smtp.lpsinvest.com

Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: svchost[1].exe, 00000005.00000002.908431013.00000000033D4000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908461023.00000000033E4000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908377566.000000000339D000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908473952.00000000033EA000.00000004.00000001.sdmp	String found in binary or memory: http://97E09xoEksglOT.net
Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmp	String found in binary or memory: http://AFplKq.com
Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: svchost[1].exe, 00000000.00000002.665163215.0000000002A31000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000002.665335915.0000000002A8B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost[1].exe, 00000000.00000002.665335915.0000000002A8B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: svchost[1].exe, 00000005.00000002.908445459.00000000033DA000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.lpsinvest.com
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: svchost[1].exe, 00000000.00000003.649388172.0000000005B0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: svchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: svchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: svchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: svchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: svchost[1].exe, 00000000.00000003.647329385.0000000005AD8000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000003.647395558.0000000005AD6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: svchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn0
Source: svchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnZ
Source: svchost[1].exe, 00000000.00000003.646976353.0000000005ADE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd:
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000003.644385711.0000000005AD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: svchost[1].exe, 00000000.00000003.644385711.0000000005AD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: svchost[1].exe	String found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
Source: svchost[1].exe	String found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
Source: svchost[1].exe	String found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: svchost[1].exe, 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 5.2.svchost[1].exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2429E0ACu002dC67Eu002d4BB9u002d982Eu002d094851467126u007d/CC8F16B2u002d6C4Fu002d4B93u002d81B5u002d25F57D65A170.cs

Large array initialization: .cctor: array initializer size 11954

Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_00672050	0_2_00672050
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_006746E0	0_2_006746E0
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_010D94A8	0_2_010D94A8
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_010DDCF4	0_2_010DDCF4
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_010DC3A0	0_2_010DC3A0
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_010DE218	0_2_010DE218
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_010DA748	0_2_010DA748
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_010DDCE8	0_2_010DDCE8
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA0040	0_2_04AA0040
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA8960	0_2_04AA8960
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA54BE	0_2_04AA54BE
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA54C0	0_2_04AA54C0
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA1528	0_2_04AA1528
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA1538	0_2_04AA1538
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA001B	0_2_04AA001B
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA3380	0_2_04AA3380
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA3372	0_2_04AA3372
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA0343	0_2_04AA0343
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA1CE8	0_2_04AA1CE8
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA1CD8	0_2_04AA1CD8
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA0FD1	0_2_04AA0FD1
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA5839	0_2_04AA5839
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA5848	0_2_04AA5848
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA59F7	0_2_04AA59F7
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA1A20	0_2_04AA1A20
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA1A30	0_2_04AA1A30
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA5A43	0_2_04AA5A43
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04FE43DC	0_2_04FE43DC
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_00AD2080	5_2_00AD2080
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_00AD46E0	5_2_00AD46E0
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_01311198	5_2_01311198
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_01312340	5_2_01312340
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_01316E58	5_2_01316E58
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_016A46A0	5_2_016A46A0
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_016A45B0	5_2_016A45B0
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_016ADA00	5_2_016ADA00
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_055AB818	5_2_055AB818
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_055A67B0	5_2_055A67B0

Source: svchost[1].exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: svchost[1].exe	Binary or memory string: OriginalFilename vs svchost[1].exe
Source: svchost[1].exe, 00000000.00000002.670654588.0000000007270000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs svchost[1].exe
Source: svchost[1].exe, 00000000.00000002.670490935.00000000070C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs svchost[1].exe
Source: svchost[1].exe, 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVelcoHvurJzSrWOaHpKEnnVWLqW.exe4 vs svchost[1].exe
Source: svchost[1].exe, 00000000.00000000.642028343.0000000000672000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCreateRangesd9.exeD vs svchost[1].exe
Source: svchost[1].exe	Binary or memory string: OriginalFilename vs svchost[1].exe
Source: svchost[1].exe, 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameVelcoHvurJzSrWOaHpKEnnVWLqW.exe4 vs svchost[1].exe
Source: svchost[1].exe, 00000005.00000002.906391605.0000000000F58000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs svchost[1].exe
Source: svchost[1].exe, 00000005.00000002.906825657.00000000012A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs svchost[1].exe
Source: svchost[1].exe, 00000005.00000002.906252484.0000000000AD2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCreateRangesd9.exeD vs svchost[1].exe
Source: svchost[1].exe	Binary or memory string: OriginalFilenameCreateRangesd9.exeD vs svchost[1].exe

Source: svchost[1].exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: svchost[1].exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.svchost[1].exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.svchost[1].exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\svchost[1].exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost[1].exe.log

Jump to behavior

Source: svchost[1].exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\svchost[1].exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\svchost[1].exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\svchost[1].exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: svchost[1].exe	Virustotal: Detection: 15%
Source: svchost[1].exe	ReversingLabs: Detection: 16%

Source: unknown	Process created: C:\Users\user\Desktop\svchost[1].exe 'C:\Users\user\Desktop\svchost[1].exe'
Source: C:\Users\user\Desktop\svchost[1].exe	Process created: C:\Users\user\Desktop\svchost[1].exe C:\Users\user\Desktop\svchost[1].exe
Source: C:\Users\user\Desktop\svchost[1].exe	Process created: C:\Users\user\Desktop\svchost[1].exe C:\Users\user\Desktop\svchost[1].exe	Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: svchost[1].exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: svchost[1].exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_00688523 push dword ptr [esi+3Fh]; iretd	0_2_00688535
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_00675683 push es; retf	0_2_00675684
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_0068928F push FFFFFFD9h; iretd	0_2_006892AC
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 0_2_04AA1FD7 push D0456990h; retf	0_2_04AA1FDC
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_00AE8523 push dword ptr [esi+3Fh]; iretd	5_2_00AE8535
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_00AE928F push FFFFFFD9h; iretd	5_2_00AE92AC
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_00AD5683 push es; retf	5_2_00AD5684
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_0131E0C2 push es; ret	5_2_0131E0D0
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_016ACD51 push esp; iretd	5_2_016ACD5D
Source: C:\Users\user\Desktop\svchost[1].exe	Code function: 5_2_055A5157 push eax; ret	5_2_055A5165

Source: initial sample

Static PE information: section name: .text entropy: 7.56739593384

Source: C:\Users\user\Desktop\svchost[1].exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost[1].exe PID: 6956, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\svchost[1].exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\svchost[1].exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\svchost[1].exe

Code function: 0_2_00674CAE sldt word ptr [eax]

0_2_00674CAE

Source: C:\Users\user\Desktop\svchost[1].exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe	Window / User API: threadDelayed 962			Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Window / User API: threadDelayed 8893			Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe TID: 6960	Thread sleep time: -103561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe TID: 7000	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe TID: 6512	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe TID: 6516	Thread sleep count: 962 > 30	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe TID: 6516	Thread sleep count: 8893 > 30	Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\svchost[1].exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\svchost[1].exe	Thread delayed: delay time: 103561	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\svchost[1].exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\svchost[1].exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\svchost[1].exe

Memory written: C:\Users\user\Desktop\svchost[1].exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\svchost[1].exe

Process created: C:\Users\user\Desktop\svchost[1].exe C:\Users\user\Desktop\svchost[1].exe

Jump to behavior

Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\svchost[1].exe

Queri

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report svchost[1].exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection: