Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.19 02:09
66ea645129e6a_jacobs.exe
09.19 11:09
clip64.dll
09.19 11:09
cred64.dll
09.19 10:09
vsfdajg16.exe
09.19 10:09
QuickBooks_Setup.msi
09.19 10:09
QuickBooks_Desktop_Set...
09.19 10:09
game.exe
09.19 10:09
vlsadg.exe
09.19 10:09
lnfsda.exe
09.19 10:09
66eaadab755d2_installs...

Latest News
09.20 03:09
Bridge Detection Gaps ...
09.20 03:09
02 - Performing Basic ...
09.20 03:09
Exploiting Exchange Po...
09.20 03:09
KI in Hollywood: Wie L...
09.20 03:09
Google: PIN-Schutz für...
09.20 03:09
Chrome-Update für Work...
09.20 03:09
Attacker or IT admin? ...
09.20 03:09
EU’s Von der Leyen Ple...
09.20 02:09
Threat Intelligence Sn...
09.20 02:09
Compliance webinar ser...

Summary | ZeroBOX

svchost.exe

PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 11, 2024, 9:53 a.m.	Sept. 11, 2024, 9:57 a.m.

Size	10.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`f8f78f7b3bd5595e858889fa483ae272`
SHA256	`df98c668e014fb5837ca0e8607ba207d98b39a52b344792ae11bf8f86610ad66`
CRC32	`0B5E9738`
ssdeep	`192:V/3juHTLkz9K2UumhrurFCOUhqkG0gFxew7JAdrgF1pLjaOy1Abwu6+aVfNzF+S1:V/3juHTLSc2UumhrurFCOUhqkG0YxewG`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
1280

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
93.113.171.225	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 11, 2024, 9:53 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 35000 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2945928 registers.r11: 514 registers.r8: 2944472 registers.r9: 2944528 registers.rdx: 83 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://93.113.171.225/service

Performs some HTTP requests (1 event)

request

GET http://93.113.171.225/service

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 11, 2024, 9:53 a.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 311296 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000022f0000 process_handle: 0xffffffffffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

93.113.171.225