Summary

51d44fd2988585ff_svchost.exe

File 51d44fd2988585ff_svchost.exe

Summary
Download Resubmit sample

Size 2.3MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 fea68d40d8be54ede189a6ee32ed6c0d
SHA1 55f1aea853cd45217a310041f6ca9319d2672038
SHA256 51d44fd2988585ff21cd1d6fde99a29a1901fea6bd7d58572a16816723da96b4
SHA512
29ffbd567284f2662461d40bf45d556fd11b21fbb50518e8c2b201898ff5a1f77852cb84fc1a250b1429b2bdeb19780616d40322f92de8a77640dbb4d23cd716
CRC32 1A235EDB
ssdeep None
Yara
  • network_dns - Communications use DNS
  • screenshot - Take screenshot
  • win_registry - Affect system registries

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:7248595

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE Dec. 22, 2025, 8:28 a.m. Dec. 22, 2025, 8:37 a.m. 551 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-12-21 16:46:06,078 [analyzer] DEBUG: Starting analyzer from: C:\tmp1xmcit
2025-12-21 16:46:06,092 [analyzer] DEBUG: Pipe server name: \??\PIPE\coJFodDNqTXZkBcpKCgwjixQuvqgDfG
2025-12-21 16:46:06,092 [analyzer] DEBUG: Log pipe server name: \??\PIPE\ocRWTltxLeUfSMEOqFO
2025-12-21 16:46:06,092 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-12-21 16:46:06,108 [analyzer] INFO: Automatically selected analysis package "exe"
2025-12-21 16:46:06,717 [analyzer] DEBUG: Started auxiliary module Curtain
2025-12-21 16:46:06,717 [analyzer] DEBUG: Started auxiliary module DbgView
2025-12-21 16:46:07,358 [analyzer] DEBUG: Started auxiliary module Disguise
2025-12-21 16:46:07,578 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-12-21 16:46:07,578 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-12-21 16:46:07,578 [analyzer] DEBUG: Started auxiliary module Human
2025-12-21 16:46:07,578 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-12-21 16:46:07,578 [analyzer] DEBUG: Started auxiliary module Reboot
2025-12-21 16:46:07,687 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-12-21 16:46:07,687 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-12-21 16:46:07,687 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-12-21 16:46:07,687 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-12-21 16:46:07,921 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\51d44fd2988585ff_svchost.exe' with arguments '' and pid 1432
2025-12-21 16:46:08,187 [analyzer] DEBUG: Loaded monitor into process with pid 1432
2025-12-21 16:46:09,108 [analyzer] INFO: Added new file to list with pid 1432 and path C:\Windows\AppPatch\svchost.exe
2025-12-21 16:46:09,233 [analyzer] INFO: Injected into process with pid 892 and name u'svchost.exe'
2025-12-21 16:46:09,453 [analyzer] DEBUG: Loaded monitor into process with pid 892
2025-12-21 16:46:09,921 [analyzer] INFO: Process with pid 1432 has terminated
2025-12-21 16:46:10,312 [analyzer] WARNING: Received request to inject Cuckoo processes, skipping it.
2025-12-21 16:46:11,390 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14232B434CF29D4C4FB335A86D7FFFE3
2025-12-21 16:46:11,390 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14232B434CF29D4C4FB335A86D7FFFE3
2025-12-21 16:46:11,421 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\Local\Temp\TarC5D4.tmp
2025-12-21 16:46:11,530 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
2025-12-21 16:46:11,530 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
2025-12-21 16:46:11,546 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\Local\Temp\TarC653.tmp
2025-12-21 16:46:11,717 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
2025-12-21 16:46:11,717 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
2025-12-21 16:46:11,780 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
2025-12-21 16:46:11,780 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
2025-12-22 07:32:51,055 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
2025-12-22 07:32:51,072 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
2025-12-22 07:32:51,697 [analyzer] INFO: Added new file to list with pid 892 and path C:\Users\Administrator\AppData\Local\Temp\6896.tmp
2025-12-22 07:33:13,868 [analyzer] WARNING: Received request to inject Cuckoo processes, skipping it.
2025-12-22 07:35:24,713 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-12-22 07:35:25,697 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-12-22 07:35:25,697 [lib.api.process] INFO: Successfully terminated process with pid 892.
2025-12-22 07:35:25,743 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tarc653.tmp' does not exist, skip.
2025-12-22 07:35:25,759 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tarc5d4.tmp' does not exist, skip.
2025-12-22 07:35:25,805 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-12-22 08:28:32,210 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:33,232 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:34,252 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:35,276 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:36,427 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:37,466 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:38,498 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:39,521 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:40,548 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:41,702 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:42,727 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:43,748 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:44,767 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:45,830 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:46,849 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:47,873 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:48,893 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:49,917 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:50,939 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:51,960 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:52,982 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:54,015 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:55,043 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:56,352 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:57,374 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:58,406 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:28:59,567 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:00,732 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:01,764 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:02,814 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:03,857 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:04,880 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:05,906 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:06,931 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:07,958 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:08,979 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:10,000 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:11,110 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:12,129 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:13,154 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:14,185 [cuckoo.core.scheduler] DEBUG: Task #7253259: no machine available yet
2025-12-22 08:29:15,396 [cuckoo.core.scheduler] INFO: Task #7253259: acquired machine win7x6414 (label=win7x6414)
2025-12-22 08:29:15,399 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.214 for task #7253259
2025-12-22 08:29:15,807 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3657478 (interface=vboxnet0, host=192.168.168.214)
2025-12-22 08:29:18,261 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6414
2025-12-22 08:29:19,090 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6414 to vmcloak
2025-12-22 08:31:55,455 [cuckoo.core.guest] INFO: Starting analysis #7253259 on guest (id=win7x6414, ip=192.168.168.214)
2025-12-22 08:31:56,461 [cuckoo.core.guest] DEBUG: win7x6414: not ready yet
2025-12-22 08:32:01,504 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6414, ip=192.168.168.214)
2025-12-22 08:32:01,636 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6414, ip=192.168.168.214, monitor=latest, size=6660546)
2025-12-22 08:32:03,982 [cuckoo.core.resultserver] DEBUG: Task #7253259: live log analysis.log initialized.
2025-12-22 08:32:05,389 [cuckoo.core.resultserver] DEBUG: Task #7253259 is sending a BSON stream
2025-12-22 08:32:05,885 [cuckoo.core.resultserver] DEBUG: Task #7253259 is sending a BSON stream
2025-12-22 08:32:06,686 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'shots/0001.jpg'
2025-12-22 08:32:06,879 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 133499
2025-12-22 08:32:07,093 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/51d44fd2988585ff_BD4E.tmp'
2025-12-22 08:32:07,511 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 2400946
2025-12-22 08:32:07,522 [cuckoo.core.resultserver] DEBUG: Task #7253259 is sending a BSON stream
2025-12-22 08:32:09,044 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/e3b0c44298fc1c14_C2E1.tmp'
2025-12-22 08:32:09,052 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 0
2025-12-22 08:32:18,358 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:32:33,470 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:32:48,740 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:32:51,862 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/d6a9bd30c6a1cd05_6896.tmp'
2025-12-22 08:32:51,865 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 1230
2025-12-22 08:33:03,900 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:33:19,181 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:33:34,317 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:33:49,433 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:34:04,609 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:34:19,733 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:34:34,867 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:34:49,942 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:35:05,022 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:35:20,246 [cuckoo.core.guest] DEBUG: win7x6414: analysis #7253259 still processing
2025-12-22 08:35:25,058 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'curtain/1766385324.92.curtain.log'
2025-12-22 08:35:25,061 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 36
2025-12-22 08:35:25,758 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'sysmon/1766385325.6.sysmon.xml'
2025-12-22 08:35:25,848 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 8807488
2025-12-22 08:35:25,869 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/aa3f745baa0067fb_svchost.exe'
2025-12-22 08:35:25,888 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 2400946
2025-12-22 08:35:25,896 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/33ba8221ff3f5211_94308059b57b3142e455b38a6eb92015'
2025-12-22 08:35:25,898 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 73211
2025-12-22 08:35:25,900 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/2661247d753fc638_8b2b9a00839eed1dfdccc3bfc2f5df12'
2025-12-22 08:35:25,902 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 174
2025-12-22 08:35:25,905 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/6fb1b8e593cb0388_b46811c17859ffb409cf0e904a4aa8f8'
2025-12-22 08:35:25,908 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 530
2025-12-22 08:35:25,912 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/ebd41040e4bb3ec7_14232b434cf29d4c4fb335a86d7fffe3'
2025-12-22 08:35:25,914 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 889
2025-12-22 08:35:25,918 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/e28476175c1c43f2_94308059b57b3142e455b38a6eb92015'
2025-12-22 08:35:25,922 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 344
2025-12-22 08:35:25,924 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/0f71708dbfee304a_8b2b9a00839eed1dfdccc3bfc2f5df12'
2025-12-22 08:35:25,929 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 1739
2025-12-22 08:35:25,931 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/43f20d0103c6616c_f0accf77cdcbff39f6191887f6d2d357'
2025-12-22 08:35:25,937 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 242
2025-12-22 08:35:25,939 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/df545bf919a2439c_f0accf77cdcbff39f6191887f6d2d357'
2025-12-22 08:35:25,941 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 1521
2025-12-22 08:35:25,942 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/d49efe255e51f8be_14232b434cf29d4c4fb335a86d7fffe3'
2025-12-22 08:35:25,944 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 170
2025-12-22 08:35:25,945 [cuckoo.core.resultserver] DEBUG: Task #7253259: File upload for 'files/12cd4c75a59e34cc_b46811c17859ffb409cf0e904a4aa8f8'
2025-12-22 08:35:25,948 [cuckoo.core.resultserver] DEBUG: Task #7253259 uploaded file length: 170
2025-12-22 08:35:25,969 [cuckoo.core.resultserver] DEBUG: Task #7253259 had connection reset for <Context for LOG>
2025-12-22 08:35:26,276 [cuckoo.core.guest] INFO: win7x6414: analysis completed successfully
2025-12-22 08:35:26,294 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-12-22 08:35:26,321 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-12-22 08:35:29,013 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6414 to path /srv/cuckoo/cwd/storage/analyses/7253259/memory.dmp
2025-12-22 08:35:30,628 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6414
2025-12-22 08:37:41,606 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.214 for task #7253259
2025-12-22 08:37:43,553 [cuckoo.core.scheduler] DEBUG: Released database task #7253259
2025-12-22 08:37:43,632 [cuckoo.core.scheduler] INFO: Task #7253259: analysis procedure completed

Signatures

Yara rules detected for file (3 events)
description Communications use DNS rule network_dns
description Take screenshot rule screenshot
description Affect system registries rule win_registry
Allocates read-write-execute memory (usually to unpack itself) (5 events)
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1432
region_size: 331776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02020000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 389120
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 892
region_size: 331776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00890000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 892
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 389120
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 892
region_size: 745472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02650000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Queries for the computername (1 event)
Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: LEMOPMCD
1 1 0
Checks if process is being debugged by a debugger (33 events)
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
The executable contains unknown PE section names indicative of a packer (could be a false positive) (9 events)
section .vjNlbf
section .kudd
section .FeE
section .kbVKK
section .WKQ
section .J
section .UXAdns
section .jFpzOB
section .cmF
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
A process attempted to delay the analysis task. (1 event)
description svchost.exe tried to sleep 240 seconds, actually delayed analysis time by 240 seconds
Creates executable files on the filesystem (1 event)
file C:\Windows\AppPatch\svchost.exe
Creates a suspicious process (1 event)
cmdline C:\Windows\AppPatch\svchost.exe
Drops a binary and executes it (1 event)
file C:\Windows\AppPatch\svchost.exe
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (18 events)
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000100
process_name: wininit.exe
process_identifier: 400
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: svchost.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: svchost.exe
process_identifier: 1080
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: taskhost.exe
process_identifier: 1396
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: pythonw.exe
process_identifier: 1796
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: WmiPrvSE.exe
process_identifier: 2084
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: SearchIndexer.exe
process_identifier: 2248
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: OSPPSVC.EXE
process_identifier: 3040
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: svchost.exe
process_identifier: 1528
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: mscorsvw.exe
process_identifier: 2564
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: sppsvc.exe
process_identifier: 2672
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: WmiPrvSE.exe
process_identifier: 1452
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: SearchProtocolHost.exe
process_identifier: 1416
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: SearchFilterHost.exe
process_identifier: 2408
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: mobsync.exe
process_identifier: 808
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: pythonw.exe
process_identifier: 2352
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: taskhost.exe
process_identifier: 2816
1 1 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: 51d44fd2988585ff_svchost.exe
process_identifier: 1432
1 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 event)
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 46
family: 0
1 0 0
The binary likely contains encrypted or compressed data indicative of a packer (1 event)
section {u'size_of_data': u'0x0001485c', u'virtual_address': u'0x00235000', u'entropy': 7.9111750686050515, u'name': u'.rsrc', u'virtual_size': u'0x0001485c'} entropy 7.91117506861 description A section with a high entropy has been found
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 127 events)
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000100
process_name: 51d44fd2988585ff_svchost.exe
process_identifier: 1432
0 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: 51d44fd2988585ff_svchost.exe
process_identifier: 1432
0 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: 51d44fd2988585ff_svchost.exe
process_identifier: 1432
0 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: 51d44fd2988585ff_svchost.exe
process_identifier: 1432
0 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000008a4
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000008c4
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000008c4
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000938
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000734
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000694
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000007b4
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000694
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000005cc
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000006f8
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000698
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000006dc
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000514
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000518
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x0000079c
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000678
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000694
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000006dc
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000005cc
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000514
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000694
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000006e0
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000698
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000007a0
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000005a4
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000750
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000006dc
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000514
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000006e0
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000694
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000005cc
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000007b4
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000006e0
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000694
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000750
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000006dc
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000005cc
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000007b4
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x000005a4
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000bb0
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000bc8
process_name: svchost.exe
process_identifier: 892
0 0

Process32NextW

 snapshot_handle: 0x00000bc8
process_name: svchost.exe
process_identifier: 892
0 0
Created a process named as a common system process (1 event)
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 936
thread_handle: 0x00000148
process_identifier: 892
current_directory:
filepath: C:\Windows\AppPatch\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\apppatch\svchost.exe
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000001c
1 1 0
One or more of the buffers contains an embedded PE file (1 event)
buffer Buffer with sha1: 501b45da2f14fb66a5098cfaa2e35fcd0070956c
Raised Snort alerts (3 events)
snort ET POLICY Unsupported/Fake Windows NT Version 5.0
snort ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
snort ET INFO Namecheap URL Forward
Allocates execute permission to another process indicative of possible code injection (3 events)
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 892
region_size: 688128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000012c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2352
region_size: 348160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03570000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000210
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1796
region_size: 348160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00150000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002e0
1 0 0
Attempts to identify installed AV products by installation directory (1 event)
file C:\Program Files (x86)\AVG\AVG9\dfncfg.dat
Checks for the presence of known windows from debuggers and forensic tools (33 events)
Time & API Arguments Status Return Repeated

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0

FindWindowA

 class_name: OLLYDBG
window_name:
0 0
Checks the version of Bios, possibly for anti-virtualization (1 event)
registry HKEY_LOCAL_MACHINE\SystemBiosVersion
Installs itself for autorun at Windows startup (1 event)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit reg_value C:\Windows\system32\userinit.exe,C:\Windows\apppatch\svchost.exe,
Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (4 events)
Process injection Process 892 created a remote thread in non-child process 2352
Process injection Process 892 created a remote thread in non-child process 1796
Time & API Arguments Status Return Repeated

CreateRemoteThread

 thread_identifier: 0
process_identifier: 2352
function_address: 0x03571360
flags: 0
stack_size: 0
parameter: 0x00000000
process_handle: 0x00000210
1 544 0

CreateRemoteThread

 thread_identifier: 0
process_identifier: 1796
function_address: 0x00151360
flags: 0
stack_size: 0
parameter: 0x00000000
process_handle: 0x000002e0
1 740 0
Manipulates memory of a non-child process indicative of process injection (6 events)
Process injection Process 892 manipulating memory of non-child process 892
Process injection Process 892 manipulating memory of non-child process 2352
Process injection Process 892 manipulating memory of non-child process 1796
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 892
region_size: 688128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000012c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2352
region_size: 348160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03570000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000210
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1796
region_size: 348160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00150000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002e0
1 0 0
Potential code injection by writing to the memory of another process (12 events)
Process injection Process 892 injected into non-child 892
Process injection Process 892 injected into non-child 2352
Process injection Process 892 injected into non-child 1796
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $™l‡ÙÝ éŠÝ éŠÝ 銲{FŠÜ 銲{tŠÜ éŠRichÝ éŠL£Â7Nà!  ` P*@@.text `.data  @À.reloc`@(@B
base_address: 0x025a0000
process_identifier: 892
process_handle: 0x0000012c
1 1 0

WriteProcessMemory

 buffer: d¡0Vü‹@ ‹p­‹@^ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹UWÇEü3ɋÁ‹}®tAëú‰Mø€:‹Eø‰E‹Eüt· iÀ?BÁ€:uï‰Eü…ÀyPR‹Eü‹UfòÀZf3Â%ÿÿÿ‰EüZX‹Eü_‹å]ÂÌÌÌÌU‹ììV‹u‹F<W‹|0x…ÿu _3À^‹å]‹D0|‹L7$‹U þS‹_ ‰Eü‹GÆÎމEø‰Mô…Òyâÿÿÿ+W;Wƒ±‹ëC3҉U;Ws0ëI‹U‹“ÆPèÿÿÿ9E t ‹E@‰E;Grá‹U‹Mô‹Eø;Wtp· Q‹ˆ‹UüÞ׉];Úsz;ßrv3À€;.‰E t @€<.uù‰E ðþÿÿ‰Mü‹}ü‹u‹M ó¤Æ„ðþÿÿ@hwFû ‰E è|þÿÿPèÿÿÿjj•ðþÿÿRÿЋð…öu [_3À^‹å]‹E ÃPèmþÿÿPVèÖþÿÿ‹Ø‹Ã[_^‹å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌU‹ìQ‹ˆ ϋ€¤th…ÀtdÁ‰Eü;Ès[SV‹Qƒê3ö÷Âþÿÿÿv@·Tq‹Â%ÿÇ;Çr‹]ß;Ãsâðú0u‹U ‹AƒèFÑè;ðrËEüI;Èr©^[‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì3ÀV‰Eä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüè=ÿÿÿ‹ðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿЋEè^‹å]ÃÌÌÌÌU‹ìƒì83ÀVWÇEä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüèèþÿÿ‹ðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿЋ}è3ÀÇEȉẺEЉEԉE؉E܉Eàè¤þÿÿ‹ðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿЋE̋H<‹DPÇ_^‹å]ÃÌU‹ììPVèaþÿÿ‹ðÆ h—̉uøè|üÿÿPèýÿÿ°þÿÿQhÿЅÀ„[d‹0‹B ‹H‹AWh”È7 PèÔüÿÿVÿЋø‰}ì…ÿ„.3ÀSÇE´‰E¸‰E¼‰EÀ‰EĉEȉEÌèãýÿÿ‹ðh]ý5ÆpèüÿÿPè‹üÿÿjU´RVÿЋE¸‹H<‹tXwPhJ†ÿaèÛûÿÿPèeüÿÿj@h0VjÿЋ؉]ô…Û„µ‹WT‰Uð‹}ô‹uø‹Mðó¤‹uì·V·FD0,…Ò~*‹Hü‰Mô‹Mø‰Mð‹HøˉMü‹}ü‹uð‹Môó¤ƒÀ(Juًuì‹FP‹Ó+V4‹ûRP‹Æè;ýÿÿ‹¾€‹D û‰}ø…À„³d$4hç[ãA‰uüè0ûÿÿPèºûÿÿVÿЋð…öuhwFû èûÿÿPè¡ûÿÿ‹MüVVQÿЋð…öt^ƒt‹?ë‹ûƒ?tG‹hˆ…Ày%ÿÿ‰Eüè×úÿÿPèaûÿÿ‹UüRëD‰Eüè¿úÿÿPèIûÿÿ‹MüQVÿЉƒÇƒ?u¹‹}ø‹G ƒÇ‰}ø…À…Tÿÿÿ‹uì3À‰EЉEԉE؉E܉Eà‰Eä‰EèèEüÿÿ‹øh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿЋEԋH<‹TX‰Uüèýÿÿ‰Eô‹FPÉEð‹}ð‹uô‹Müó¤‹Mì‹q(óth‹ÅÖ\èúÿÿPè¢úÿÿ•°þÿÿRÿÐÿÖ[_hˆÄÒmèûùÿÿPè…úÿÿjÿÐ^‹å]Ã
base_address: 0x025a1000
process_identifier: 892
process_handle: 0x0000012c
1 1 0

WriteProcessMemory

 buffer: ×1œ2ñ253s3ö3”5
base_address: 0x025f4000
process_identifier: 892
process_handle: 0x0000012c
1 1 0

WriteProcessMemory

 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $™l‡ÙÝ éŠÝ éŠÝ 銲{FŠÜ 銲{tŠÜ éŠRichÝ éŠL£Â7Nà!  ` P@@.text `.data  @À.reloc`@(@B
base_address: 0x03570000
process_identifier: 2352
process_handle: 0x00000210
1 1 0

WriteProcessMemory

 buffer: d¡0Vü‹@ ‹p­‹@^ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹UWÇEü3ɋÁ‹}®tAëú‰Mø€:‹Eø‰E‹Eüt· iÀ?BÁ€:uï‰Eü…ÀyPR‹Eü‹UfòÀZf3Â%ÿÿÿ‰EüZX‹Eü_‹å]ÂÌÌÌÌU‹ììV‹u‹F<W‹|0x…ÿu _3À^‹å]‹D0|‹L7$‹U þS‹_ ‰Eü‹GÆÎމEø‰Mô…Òyâÿÿÿ+W;Wƒ±‹ëC3҉U;Ws0ëI‹U‹“ÆPèÿÿÿ9E t ‹E@‰E;Grá‹U‹Mô‹Eø;Wtp· Q‹ˆ‹UüÞ׉];Úsz;ßrv3À€;.‰E t @€<.uù‰E ðþÿÿ‰Mü‹}ü‹u‹M ó¤Æ„ðþÿÿ@hwFû ‰E è|þÿÿPèÿÿÿjj•ðþÿÿRÿЋð…öu [_3À^‹å]‹E ÃPèmþÿÿPVèÖþÿÿ‹Ø‹Ã[_^‹å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌU‹ìQ‹ˆ ϋ€¤th…ÀtdÁ‰Eü;Ès[SV‹Qƒê3ö÷Âþÿÿÿv@·Tq‹Â%ÿÇ;Çr‹]ß;Ãsâðú0u‹U ‹AƒèFÑè;ðrËEüI;Èr©^[‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì3ÀV‰Eä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüè=ÿÿÿ‹ðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿЋEè^‹å]ÃÌÌÌÌU‹ìƒì83ÀVWÇEä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüèèþÿÿ‹ðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿЋ}è3ÀÇEȉẺEЉEԉE؉E܉Eàè¤þÿÿ‹ðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿЋE̋H<‹DPÇ_^‹å]ÃÌU‹ììPVèaþÿÿ‹ðÆ h—̉uøè|üÿÿPèýÿÿ°þÿÿQhÿЅÀ„[d‹0‹B ‹H‹AWh”È7 PèÔüÿÿVÿЋø‰}ì…ÿ„.3ÀSÇE´‰E¸‰E¼‰EÀ‰EĉEȉEÌèãýÿÿ‹ðh]ý5ÆpèüÿÿPè‹üÿÿjU´RVÿЋE¸‹H<‹tXwPhJ†ÿaèÛûÿÿPèeüÿÿj@h0VjÿЋ؉]ô…Û„µ‹WT‰Uð‹}ô‹uø‹Mðó¤‹uì·V·FD0,…Ò~*‹Hü‰Mô‹Mø‰Mð‹HøˉMü‹}ü‹uð‹Môó¤ƒÀ(Juًuì‹FP‹Ó+V4‹ûRP‹Æè;ýÿÿ‹¾€‹D û‰}ø…À„³d$4hç[ãA‰uüè0ûÿÿPèºûÿÿVÿЋð…öuhwFû èûÿÿPè¡ûÿÿ‹MüVVQÿЋð…öt^ƒt‹?ë‹ûƒ?tG‹hˆ…Ày%ÿÿ‰Eüè×úÿÿPèaûÿÿ‹UüRëD‰Eüè¿úÿÿPèIûÿÿ‹MüQVÿЉƒÇƒ?u¹‹}ø‹G ƒÇ‰}ø…À…Tÿÿÿ‹uì3À‰EЉEԉE؉E܉Eà‰Eä‰EèèEüÿÿ‹øh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿЋEԋH<‹TX‰Uüèýÿÿ‰Eô‹FPÉEð‹}ð‹uô‹Müó¤‹Mì‹q(óth‹ÅÖ\èúÿÿPè¢úÿÿ•°þÿÿRÿÐÿÖ[_hˆÄÒmèûùÿÿPè…úÿÿjÿÐ^‹å]Ã
base_address: 0x03571000
process_identifier: 2352
process_handle: 0x00000210
1 1 0

WriteProcessMemory

 buffer: ×1œ2ñ253s3ö3”5
base_address: 0x035c4000
process_identifier: 2352
process_handle: 0x00000210
1 1 0

WriteProcessMemory

 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $™l‡ÙÝ éŠÝ éŠÝ 銲{FŠÜ 銲{tŠÜ éŠRichÝ éŠL£Â7Nà!  ` P@@.text `.data  @À.reloc`@(@B
base_address: 0x00150000
process_identifier: 1796
process_handle: 0x000002e0
1 1 0

WriteProcessMemory

 buffer: d¡0Vü‹@ ‹p­‹@^ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹UWÇEü3ɋÁ‹}®tAëú‰Mø€:‹Eø‰E‹Eüt· iÀ?BÁ€:uï‰Eü…ÀyPR‹Eü‹UfòÀZf3Â%ÿÿÿ‰EüZX‹Eü_‹å]ÂÌÌÌÌU‹ììV‹u‹F<W‹|0x…ÿu _3À^‹å]‹D0|‹L7$‹U þS‹_ ‰Eü‹GÆÎމEø‰Mô…Òyâÿÿÿ+W;Wƒ±‹ëC3҉U;Ws0ëI‹U‹“ÆPèÿÿÿ9E t ‹E@‰E;Grá‹U‹Mô‹Eø;Wtp· Q‹ˆ‹UüÞ׉];Úsz;ßrv3À€;.‰E t @€<.uù‰E ðþÿÿ‰Mü‹}ü‹u‹M ó¤Æ„ðþÿÿ@hwFû ‰E è|þÿÿPèÿÿÿjj•ðþÿÿRÿЋð…öu [_3À^‹å]‹E ÃPèmþÿÿPVèÖþÿÿ‹Ø‹Ã[_^‹å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌU‹ìQ‹ˆ ϋ€¤th…ÀtdÁ‰Eü;Ès[SV‹Qƒê3ö÷Âþÿÿÿv@·Tq‹Â%ÿÇ;Çr‹]ß;Ãsâðú0u‹U ‹AƒèFÑè;ðrËEüI;Èr©^[‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì3ÀV‰Eä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüè=ÿÿÿ‹ðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿЋEè^‹å]ÃÌÌÌÌU‹ìƒì83ÀVWÇEä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüèèþÿÿ‹ðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿЋ}è3ÀÇEȉẺEЉEԉE؉E܉Eàè¤þÿÿ‹ðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿЋE̋H<‹DPÇ_^‹å]ÃÌU‹ììPVèaþÿÿ‹ðÆ h—̉uøè|üÿÿPèýÿÿ°þÿÿQhÿЅÀ„[d‹0‹B ‹H‹AWh”È7 PèÔüÿÿVÿЋø‰}ì…ÿ„.3ÀSÇE´‰E¸‰E¼‰EÀ‰EĉEȉEÌèãýÿÿ‹ðh]ý5ÆpèüÿÿPè‹üÿÿjU´RVÿЋE¸‹H<‹tXwPhJ†ÿaèÛûÿÿPèeüÿÿj@h0VjÿЋ؉]ô…Û„µ‹WT‰Uð‹}ô‹uø‹Mðó¤‹uì·V·FD0,…Ò~*‹Hü‰Mô‹Mø‰Mð‹HøˉMü‹}ü‹uð‹Môó¤ƒÀ(Juًuì‹FP‹Ó+V4‹ûRP‹Æè;ýÿÿ‹¾€‹D û‰}ø…À„³d$4hç[ãA‰uüè0ûÿÿPèºûÿÿVÿЋð…öuhwFû èûÿÿPè¡ûÿÿ‹MüVVQÿЋð…öt^ƒt‹?ë‹ûƒ?tG‹hˆ…Ày%ÿÿ‰Eüè×úÿÿPèaûÿÿ‹UüRëD‰Eüè¿úÿÿPèIûÿÿ‹MüQVÿЉƒÇƒ?u¹‹}ø‹G ƒÇ‰}ø…À…Tÿÿÿ‹uì3À‰EЉEԉE؉E܉Eà‰Eä‰EèèEüÿÿ‹øh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿЋEԋH<‹TX‰Uüèýÿÿ‰Eô‹FPÉEð‹}ð‹uô‹Müó¤‹Mì‹q(óth‹ÅÖ\èúÿÿPè¢úÿÿ•°þÿÿRÿÐÿÖ[_hˆÄÒmèûùÿÿPè…úÿÿjÿÐ^‹å]Ã
base_address: 0x00151000
process_identifier: 1796
process_handle: 0x000002e0
1 1 0

WriteProcessMemory

 buffer: ×1œ2ñ253s3ö3”5
base_address: 0x001a4000
process_identifier: 1796
process_handle: 0x000002e0
1 1 0
Attempts to create or modify system certificates (1 event)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (10 events)
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x00000574
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x00000574
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: 4æO™rÜ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x00000574
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecision
1 0 0

RegSetValueExW

 key_handle: 0x00000574
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
value: Network
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadNetworkName
1 0 0

RegSetValueExW

 key_handle: 0x000006a0
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x000006a0
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: 4æO™rÜ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x000006a0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
1 0 0

RegSetValueExW

 key_handle: 0x00000938
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x00000938
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: 4æO™rÜ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x00000938
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
1 0 0
Network activity contains more than one unique useragent (2 events)
process svchost.exe useragent Internal
process svchost.exe useragent Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Expresses interest in specific running processes (20 events)
process lsm.exe
process: potential process injection target wininit.exe
process dwm.exe
process searchindexer.exe
process sppsvc.exe
process spoolsv.exe
process: potential process injection target csrss.exe
process: potential process injection target explorer.exe
process mscorsvw.exe
process sysmon.exe
process: potential process injection target smss.exe
process: potential process injection target svchost.exe
process searchfilterhost.exe
process taskhost.exe
process: potential cuckoo sandbox detection pythonw.exe
process searchprotocolhost.exe
process unsecapp.exe
process: potential process injection target winlogon.exe
process osppsvc.exe
process wmiprvse.exe
File has been identified by 8 AntiVirus engine on IRMA as malicious (8 events)
G Data Antivirus (Windows) Virus: Gen:Variant.Babar.692152 (Engine A)
Avast Core Security (Linux) Win32:Zbot-NIZ [Trj]
eScan Antivirus (Linux) Gen:Variant.Babar.692152(DB)
ESET Security (Windows) a variant of Win32/GenKryptik.HMUN trojan
DrWeb Antivirus (Linux) Trojan.PWS.Ibank.323
Bitdefender Antivirus (Linux) Gen:Variant.Babar.692152
Kaspersky Standard (Windows) Backdoor.Win32.Shiz.raj
Emsisoft Commandline Scanner (Windows) Gen:Variant.Babar.692152 (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.