Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.11.25 18:19	Machine	s1_win7_x6403
Filename	sservc.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	3	Behavior Score	14.0
ZERO API	file : malware
VT API (file)	35 detected (AIDetectMalware, Chapak, Lockbit, MachineLearning, Anomalous, Save, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, PWSX, Obfuscated, high, score, Krypt, Static AI, Malicious PE, Detected, Recordbreaker, Artemis, BScope, unsafe, SmokeLoader, CLASSIC, susgen, Kryptik, HHTS)
md5	4f17e0e8d7f6931d86bcef776619a2b5
sha256	92f3c06a0ba8bc92f1a39521ad2979b86ce409fe9892e5f578e23a48fd8aef46
ssdeep	49152:lu1Cicgvix2ooeL/DIk40DHN1Bl7BclwqyW:lusGIUeLhzxRyBv
imphash	7c1db49ad6667947e0650b5a549f4e65
impfuzzy	24:PjkE3jkrXV4WES+ckjKbp4cDP2us1Jo+ATitlNJbtZLOovEG+ncQyv9thIbplOF7:SFpm1XlTtZ6VGgcx9vCsWXa7f

Network IP location

Signature (26cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	Executed a process and injected code into it
danger	File has been identified by 35 AntiVirus engines on VirusTotal as malicious
warning	Generates some ICMP traffic
watch	Allocates execute permission to another process indicative of possible code injection
watch	Communicates with host for which no DNS query was performed
watch	Installs itself for autorun at Windows startup
watch	Installs Tor on the machine
watch	One or more of the buffers contains an embedded PE file
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates executable files on the filesystem
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Searches running processes potentially to identify processes for sandbox evasion
notice	Starts servers listening
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Queries for the computername
info	This executable has a PDB path

Rules (19cnts)

Level	Name	Description	Collection
warning	hide_executable_file	Hide executable file	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (334cnts) ?

Request	ASN Co	IP4	ZERO ?
http://paslo.de/phpMyAdmin/ whois	Strato AG	81.169.145.158	clean
http://westendsolution.com/administrator/ whois	AS-26496-GO-DADDY-COM-LLC	107.180.1.10	clean
http://ww25.nvhrw.com/phpmyadmin/?subid1=20231125-1957-27f5-b954-dc376cf569f6 whois		199.59.243.225	clean
http://bseb.com/wp-login.php whois	HOPONE-GLOBAL	209.61.212.154	clean
http://ohsjd.fr/phpmyadmin/ whois	OVH SAS	213.186.33.5	clean
http://itisgiovannixxiii.email.com/administrator/index.php whois	ULTRADNS	204.74.99.100	clean
http://gmail.coive.com/administrator/index.php whois	AMAZON-AES	52.71.57.184	clean
http://paslo.de/phpmyadmin/ whois	Strato AG	81.169.145.158	clean
http://www.saintjeandedieu.com/phpmyadmin whois	OVH SAS	213.186.33.5	clean
http://itisgiovannixxiii.email.com/administrator/ whois	ULTRADNS	204.74.99.100	clean
http://steamlogic.org/administrator/index.php whois	AMAZON-02	3.0.11.115	clean
http://nvhrw.com/phpmyadmin/ whois	Trellian Pty. Limited	103.224.212.212	clean
http://protl.com/administrator/ whois	AMAZON-02	76.223.54.146	clean
http://egst.edu.et/administrator/index.php whois	DIMENOC	162.221.189.186	clean
http://jomaroil.com.br/wp-login.php whois	MEGA PROVEDOR - SERVICOS DE INTERNET LTDA - ME	128.201.75.205	clean
http://bamboo.cr/phpmyadmin/ whois	CLOUDFLARENET	172.67.173.78	clean
http://nvrinc.coml.com/wp-admin/ whois	AMAZON-02	99.83.248.67	clean
http://gorina.cat/administrator/index.php whois	1&1 Ionos Se	217.76.156.252	clean
http://eru.edu.eg/administrator/ whois	CLOUDFLARENET	172.67.202.98	clean
http://lna.com.mx/administrator/index.php whois	LIQUIDWEB	67.225.236.47	clean
http://gmail.coive.com/wp-login.php whois	AMAZON-AES	52.71.57.184	clean
http://nvhrw.com/administrator/index.php whois	Trellian Pty. Limited	103.224.212.212	clean
http://bseb.com/administrator/index.php whois	HOPONE-GLOBAL	209.61.212.154	clean
http://mi.unc.edu.ar/administrator/ whois	Universidad Nacional de Cordoba	200.16.16.57	clean
http://istitutocomprensivorosate.edu.it/administrator/ whois	AMAZON-02	15.188.65.152	clean
http://ohsjd.fr/administrator/ whois	OVH SAS	213.186.33.5	clean
http://aleeas.com/administrator/ whois	CLOUDFLARENET	172.67.155.39	clean
http://www.saintjeandedieu.com/administrator whois	OVH SAS	213.186.33.5	clean
http://bamboo.cr/administrator/ whois	CLOUDFLARENET	104.21.88.58	clean
http://nvrinc.coml.com/wp-login.php whois	AMAZON-02	99.83.248.67	clean
http://www.restajet.com/phpmyadmin/ whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.40.209.181	clean
http://nvrinc.coml.com/administrator/ whois	AMAZON-02	99.83.248.67	clean
http://paslo.de/administrator/ whois	Strato AG	81.169.145.158	clean
http://awartany.com/administrator/index.php whois	1&1 Ionos Se	74.208.236.160	clean
http://wena.be/administrator/ whois	UNIFIEDLAYER-AS-1	162.241.252.227	clean
http://bakerisroofing.com/administrator/ whois	LIGHTEDGE-AS-02	216.81.136.20	clean
http://jomaroil.com.br/wp-admin/ whois	MEGA PROVEDOR - SERVICOS DE INTERNET LTDA - ME	128.201.75.205	clean
http://steamlogic.org/wp-admin/ whois	AMAZON-02	3.0.11.115	clean
http://jomaroil.com.br/phpmyadmin/ whois	MEGA PROVEDOR - SERVICOS DE INTERNET LTDA - ME	128.201.75.205	clean
http://freecycle.com.br/administrator/ whois	AMAZON-02	54.232.92.235	clean
http://awartany.com/phpmyadmin/ whois	1&1 Ionos Se	74.208.236.160	clean
http://lna.com.mx/administrator/ whois	LIQUIDWEB	67.225.236.47	clean
http://nvhrw.com/administrator/ whois	Trellian Pty. Limited	103.224.212.212	clean
http://unab.edu.pe/administrator/ whois	SUCURI-SEC	192.124.249.103	clean
http://lna.com.mx/phpmyadmin/ whois	LIQUIDWEB	67.225.236.47	clean
http://nojesevent.se/wp-admin/ whois	Loopia AB	194.9.94.86	clean
http://gmail.coive.com/administrator/ whois	AMAZON-AES	52.71.57.184	clean
http://cook.de/wp-admin/ whois	Cronon Aktiengesellschaft	192.166.192.19	clean
http://awartany.com/administrator/ whois	1&1 Ionos Se	74.208.236.160	clean
http://nojesevent.se/administrator/ whois	Loopia AB	194.9.94.86	clean
http://nvrinc.coml.com/administrator/index.php whois	AMAZON-02	99.83.248.67	clean
http://transformadoresvictory.com.mx/administrator/ whois	GOOGLE-2	35.215.101.188	clean
http://cook.de/administrator/index.php whois	Cronon Aktiengesellschaft	192.166.192.19	clean
http://fbsdigitalstore.pk/administrator/ whois	CLOUDFLARENET	104.17.9.99	clean
http://egst.edu.et/phpmyadmin/ whois	DIMENOC	162.221.189.186	clean
http://steamlogic.org/phpmyadmin/ whois	AMAZON-02	3.0.11.115	clean
http://ww25.nvhrw.com/administrator/?subid1=20231125-1957-2885-9232-b36a0c77a1c5 whois		199.59.243.225	clean
http://steamlogic.org/administrator/ whois	AMAZON-02	3.0.11.115	clean
http://gorina.cat/administrator/ whois	1&1 Ionos Se	217.76.156.252	clean
http://nojesevent.se/administrator/index.php whois	Loopia AB	194.9.94.86	clean
http://ww25.nvhrw.com/administrator/index.php?subid1=20231125-1957-30ca-aaf7-b67d4336639c whois		199.59.243.225	clean
http://nojesevent.se/wp-login.php whois	Loopia AB	194.9.94.86	clean
http://quimifen.com/administrator/index.php whois	A2HOSTING	66.198.240.40	clean
http://restajet.com/administrator/ whois	CLOUDFLARENET	104.22.56.191	clean
http://jomaroil.com.br/administrator/ whois	MEGA PROVEDOR - SERVICOS DE INTERNET LTDA - ME	128.201.75.205	clean
http://quimifen.com/administrator/ whois	A2HOSTING	66.198.240.40	clean
http://paslo.de/administrator/index.php whois	Strato AG	81.169.145.158	clean
http://transformadoresvictory.com.mx/administrator/index.php whois	GOOGLE-2	35.215.101.188	clean
http://bseb.com/administrator/ whois	HOPONE-GLOBAL	209.61.212.154	clean
http://blueil.com/administrator/ whois	AMAZON-AES	54.161.222.85	clean
http://bseb.com/phpmyadmin/ whois	HOPONE-GLOBAL	209.61.212.154	clean
http://aleeas.com/administrator/index.php whois	CLOUDFLARENET	172.67.155.39	clean
http://cook.de/administrator/ whois	Cronon Aktiengesellschaft	192.166.192.19	clean
http://blueil.com/administrator/index.php whois	AMAZON-AES	54.161.222.85	clean
http://bamboo.cr/administrator/index.php whois	CLOUDFLARENET	104.21.88.58	clean
http://aleeas.com/phpmyadmin/ whois	CLOUDFLARENET	172.67.155.39	clean
http://bseb.com/wp-admin/ whois	HOPONE-GLOBAL	209.61.212.154	clean
http://steamlogic.org/wp-login.php whois	AMAZON-02	3.0.11.115	clean
http://egst.edu.et/administrator/ whois	DIMENOC	162.221.189.186	clean
http://jomaroil.com.br/administrator/index.php whois	MEGA PROVEDOR - SERVICOS DE INTERNET LTDA - ME	128.201.75.205	clean
http://cook.de/wp-login.php whois	Cronon Aktiengesellschaft	192.166.192.19	clean
http://freecycle.com.br/administrator/index.php whois	AMAZON-02	54.232.92.235	clean
whois		0.0.0.0
smtp.getontheweb.com whois	GOOGLE	35.236.231.204	clean
ftp.telefonica.nl.com whois			clean
xs4.com whois			clean
ftp.abv.bgo.uk whois			clean
h1studio.com whois	Vodien Internet Solutions Pte Ltd	103.15.235.138	clean
mx.zoho.com whois	ZOHO-AS	204.141.33.44	clean
restajet.com whois	CLOUDFLARENET	104.22.57.191	clean
student.fullo.za whois			clean
hushmail.l.com whois			clean
ohsjd.fr whois	OVH SAS	213.186.33.5	clean
aspmx.l.google.com whois	GOOGLE	173.194.174.27	clean
gmail.coroxat.com whois			clean
salemarketwave.c whois			clean
yahoo.com.arail.com whois	Linode, LLC	45.33.23.183	clean
mail.jpsc.co.za whois			clean
pvic.pl whois			clean
gmp.br whois			clean
alu.iismunari.it whois	Aruba S.p.A.	62.149.128.40	clean
gspnet.it whois	Aruba S.p.A.	89.46.105.48	clean
live.nail.com whois			clean
gmai.vus.edu.vn whois			clean
gmail.coon.gob.ec whois			clean
wena.be whois	UNIFIEDLAYER-AS-1	162.241.252.227	clean
mail.telefonica.nl.com whois			clean
starmarkshipping.cocom whois			clean
mx2.titan.email whois	AMAZON-AES	35.168.179.133	clean
mail.wena.be whois	UNIFIEDLAYER-AS-1	162.241.252.227	clean
colaborativa.etc.br whois			clean
freecycle.com.br whois	AMAZON-02	54.232.92.235	clean
mail.outloove.nl whois			clean
ftp.o2.co.uk.com whois			clean
webbero.it whois			clean
unab.edu.pe whois	SUCURI-SEC	192.124.249.103	clean
bseb.com whois	HOPONE-GLOBAL	209.61.212.154	clean
gmail.range.es whois			clean
seap.com whois			clean
mail.1away.top whois		8.219.60.166	clean
1away.top whois			clean
spokgmail.com whois			clean
freemail.hm whois			clean
ww25.nvhrw.com whois		199.59.243.225	clean
outlook.ausd.org whois			clean
builtbybamboo.com whois	CLOUDFLARENET	104.21.92.188	clean
ntlwoil.com whois			clean
lna.com.mx whois	LIQUIDWEB	67.225.236.47	clean
btopenworlgmail.com whois			clean
westendsolution.com whois	AS-26496-GO-DADDY-COM-LLC	107.180.1.10	clean
mail.gmaicloud.com whois			clean
bakerisroofing.com whois	LIGHTEDGE-AS-02	216.81.136.20	clean
itisgiovannixxiii.email.com whois	ULTRADNS	204.74.99.100	clean
alt1.aspmx.l.google.com whois	GOOGLE	142.250.141.27	clean
jpsc.co.za whois			clean
mail.gmail.l.edu.co whois			clean
mi.unc.edu.ar whois	Universidad Nacional de Cordoba	200.16.16.57	clean
gosmart.id whois	PT ARDETAMEDIA GLOBAL KOMPUTINDO	103.131.51.10	clean
protl.com whois	AMAZON-02	13.248.169.48	clean
nojesevent.se whois	Loopia AB	194.9.94.85	clean
71d5094d4da04584ea07f8dad8876a.mail.outlook.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	52.101.40.1	clean
o2.co.um whois			clean
gorina.cat whois	1&1 Ionos Se	217.76.156.252	clean
outloove.nl whois			clean
doc.mux whois			clean
tre.com.ng whois			clean
mx1.simplelogin.co whois	Proton Technologies AG	176.119.200.136	clean
egst.edu.et whois	DIMENOC	162.221.189.186	clean
awartany.com whois	1&1 Ionos Se	74.208.236.160	clean
nvhrw.com whois	Trellian Pty. Limited	103.224.212.212	clean
gmail.coive.com whois	AMAZON-AES	52.71.57.184	clean
ftp.webbero.it whois			clean
ftp.live.nail.com whois			clean
victorysvg.ccom whois			clean
volvo.ctps whois			clean
kpnmail.il.com whois			clean
o2.co.uk.com whois			clean
yahoo.cmx.de whois			clean
inboxgmx.de whois			clean
mail.h-email.net whois	Hetzner Online GmbH	5.161.194.135	clean
aleeas.com whois	CLOUDFLARENET	172.67.155.39	clean
www.saintjeandedieu.com whois	OVH SAS	213.186.33.5	clean
ohsjd-fr.mail.protection.outlook.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	104.47.25.36	clean
gmaicloud.com whois			clean
isise-edu-pe.mail.protection.outlook.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	52.101.11.9	clean
aspmx2.googlemail.com whois	GOOGLE	142.250.141.26	clean
ftp.gmail.penny-arcade.com whois			clean
gmailley.net whois			clean
quimifen.com whois	A2HOSTING	66.198.240.40	clean
enexumhotmail.com whois			clean
blueyonderres.com whois			clean
rbowprems.ga whois			clean
mail.mailerhost.net whois	DIGITALOCEAN-ASN	161.35.84.83	clean
msnt.cat whois			clean
brazilianl.com whois			clean
gmx.dem.br whois			clean
fastmail.cmail.ru whois			clean
park-mx.above.com whois	Trellian Pty. Limited	103.224.212.34	clean
www.hugedomains.com whois	CLOUDFLARENET	172.67.70.191	clean
alt4.aspmx.l.google.com whois	GOOGLE	142.250.152.27	clean
eru.edu.eg whois	CLOUDFLARENET	104.21.44.179	clean
simplelogin.io whois	Proton Technologies AG	176.119.200.11	clean
butteredtoast.iomail.com whois			clean
alt3.aspmx.l.google.com whois	GOOGLE	64.233.171.26	clean
mail.doc.mux whois			clean
yahlook.com whois			clean
mail.gmailley.net whois			clean
myschool.hail.com whois			clean
ftp.starmarkshipping.cocom whois			clean
gmail.tps whois			clean
gmail.cve.com whois			clean
cobaep.edu.mx whois		172.16.42.2	clean
blueil.com whois	AMAZON-AES	34.205.242.146	clean
mail.btopenworlgmail.com whois			clean
fbsdigitalstore.pk whois	CLOUDFLARENET	104.16.159.43	clean
www.restajet.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.40.209.181	clean
email.cde whois			clean
mx20.antispam.mailspamprotection.com whois	GOOGLE	34.120.156.61	clean
mx2.emailsrvr.com whois	RACKSPACE	184.106.54.2	clean
hotmail.nde whois			clean
redifr.cl whois			clean
qroo.nuevaescuela.mx whois	GOOGLE	34.70.211.130	clean
www.freecycle.com.br whois		18.64.8.47	clean
cook.de whois	Cronon Aktiengesellschaft	192.166.192.19	clean
mail.redifr.cl whois			clean
smtpin.rzone.de whois	Strato AG	81.169.145.97	clean
mx03b.anti-spam-premium.com whois	LIQUIDWEB	209.59.183.18	clean
gmafreenet.de whois			clean
ftp.freemail.hm whois			clean
gmail.coe.com whois			clean
bamboo.cr whois	CLOUDFLARENET	104.21.88.58	clean
mx.gspnet.it whois	Aruba S.p.A.	62.149.128.157	clean
frontaggmail.com whois			clean
autenticar.unc.edu.ar whois	Universidad Nacional de Cordoba	200.16.16.171	clean
frigonor.cl whois	CLOUDFLARENET	23.227.38.65	clean
istitutocomprensivorosate.edu.it whois	AMAZON-02	15.188.65.152	clean
telefonica.nl.com whois			clean
abv.bgo.uk whois			clean
unipanamericantmail.com whois			clean
bakerisroofing-com.mail.protection.outlook.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	104.47.74.10	clean
mail.blueyonderres.com whois			clean
domain-cn-1.cuiqiu.net whois		82.156.150.164	clean
jomaroil.com.br whois	MEGA PROVEDOR - SERVICOS DE INTERNET LTDA - ME	128.201.75.205	clean
mail.customhost.de whois		202.61.249.4	clean
steamlogic.org whois	AMAZON-02	3.0.11.115	clean
paslo.de whois	Strato AG	81.169.145.158	clean
live.lkqcorp.com whois			clean
ah105.wadax.ne.jp whois	NTT SmartConnect Corporation	211.1.224.155	clean
gmail.penny-arcade.com whois			clean
nvrinc.coml.com whois	AMAZON-02	99.83.248.67	clean
hotmail.comnisdubai.ae whois			clean
mail.abv.bgo.uk whois			clean
westendsolution-com.mail.protection.outlook.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	52.101.9.2	clean
vo.de whois	Vautron Rechenzentrum AG	91.223.145.55	clean
gmailahoo.at whois			clean
t-online.d.com whois			clean
mail.email.cde whois			clean
alt2.aspmx.l.google.com whois	GOOGLE	142.250.115.26	clean
transformadoresvictory.com.mx whois	GOOGLE-2	35.215.101.188	clean
gmail.l.edu.co whois			clean
isise.edu.pe whois			clean
aspmx4.googlemail.com whois	GOOGLE	64.233.171.27	clean
50.7.8.141 whois	COGENT-174	50.7.8.141	clean
34.70.211.130 whois	GOOGLE	34.70.211.130	clean
91.121.160.6 whois	OVH SAS	91.121.160.6	clean
64.233.171.26 whois	GOOGLE	64.233.171.26	clean
64.233.171.27 whois	GOOGLE	64.233.171.27	clean
173.203.187.2 whois	RACKSPACE	173.203.187.2	clean
49.13.4.90 whois	Hetzner Online GmbH	49.13.4.90	clean
204.141.33.44 whois	ZOHO-AS	204.141.33.44	clean
217.76.156.252 whois	1&1 Ionos Se	217.76.156.252	mailcious
176.119.200.11 whois	Proton Technologies AG	176.119.200.11	clean
99.83.248.67 whois	AMAZON-02	99.83.248.67	mailcious
8.219.60.166 whois		8.219.60.166	clean
107.180.1.10 whois	AS-26496-GO-DADDY-COM-LLC	107.180.1.10	clean
74.125.23.26 whois	GOOGLE	74.125.23.26	clean
176.119.200.136 whois	Proton Technologies AG	176.119.200.136	clean
74.208.236.160 whois	1&1 Ionos Se	74.208.236.160	clean
172.67.173.78 whois	CLOUDFLARENET	172.67.173.78	clean
13.248.169.48 whois	AMAZON-02	13.248.169.48	mailcious
52.101.40.6 whois	MICROSOFT-CORP-MSN-AS-BLOCK	52.101.40.6	clean
104.21.92.188 whois	CLOUDFLARENET	104.21.92.188	clean
104.22.57.191 whois	CLOUDFLARENET	104.22.57.191	clean
54.209.32.212 whois	AMAZON-AES	54.209.32.212	mailcious
172.67.202.98 whois	CLOUDFLARENET	172.67.202.98	clean
50.21.186.234 whois	1&1 Ionos Se	50.21.186.234	clean
103.224.212.34 whois	Trellian Pty. Limited	103.224.212.34	clean
162.221.189.186 whois	DIMENOC	162.221.189.186	clean
199.59.243.225 whois		199.59.243.225	mailcious
52.71.57.184 whois	AMAZON-AES	52.71.57.184	mailcious
52.86.6.113 whois	AMAZON-AES	52.86.6.113	mailcious
52.101.42.13 whois	MICROSOFT-CORP-MSN-AS-BLOCK	52.101.42.13	clean
52.101.42.10 whois	MICROSOFT-CORP-MSN-AS-BLOCK	52.101.42.10	clean
104.21.44.179 whois	CLOUDFLARENET	104.21.44.179	clean
172.67.155.39 whois	CLOUDFLARENET	172.67.155.39	clean
34.120.156.61 whois	GOOGLE	34.120.156.61	clean
128.201.75.205 whois	MEGA PROVEDOR - SERVICOS DE INTERNET LTDA - ME	128.201.75.205	clean
192.166.192.19 whois	Cronon Aktiengesellschaft	192.166.192.19	clean
52.101.8.34 whois	MICROSOFT-CORP-MSN-AS-BLOCK	52.101.8.34	clean
5.161.98.212 whois	Hetzner Online GmbH	5.161.98.212	clean
209.61.212.154 whois	HOPONE-GLOBAL	209.61.212.154	clean
104.21.88.58 whois	CLOUDFLARENET	104.21.88.58	clean
54.232.92.235 whois	AMAZON-02	54.232.92.235	clean
15.188.65.152 whois	AMAZON-02	15.188.65.152	clean
202.61.249.4 whois		202.61.249.4	clean
89.46.105.48 whois	Aruba S.p.A.	89.46.105.48	malware
162.241.252.227 whois	UNIFIEDLAYER-AS-1	162.241.252.227	clean
52.101.42.6 whois	MICROSOFT-CORP-MSN-AS-BLOCK	52.101.42.6	clean
81.169.145.158 whois	Strato AG	81.169.145.158	mailcious
91.223.145.55 whois	Vautron Rechenzentrum AG	91.223.145.55	clean
194.9.94.86 whois	Loopia AB	194.9.94.86	mailcious
194.9.94.85 whois	Loopia AB	194.9.94.85	mailcious
52.55.70.181 whois	AMAZON-AES	52.55.70.181	clean
211.1.224.155 whois	NTT SmartConnect Corporation	211.1.224.155	clean
142.250.141.26 whois	GOOGLE	142.250.141.26	clean
142.250.141.27 whois	GOOGLE	142.250.141.27	clean
45.136.244.187 whois	LLC Baxet	45.136.244.187	clean
104.16.159.43 whois	CLOUDFLARENET	104.16.159.43	mailcious
66.198.240.40 whois	A2HOSTING	66.198.240.40	clean
104.21.6.144 whois	CLOUDFLARENET	104.21.6.144	clean
213.186.33.5 whois	OVH SAS	213.186.33.5	mailcious
35.215.101.188 whois	GOOGLE-2	35.215.101.188	clean
3.130.204.160 whois	AMAZON-02	3.130.204.160	clean
185.205.70.136 whois		185.205.70.136	clean
35.236.231.204 whois	GOOGLE	35.236.231.204	clean
20.40.209.181 whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.40.209.181	clean
204.74.99.100 whois	ULTRADNS	204.74.99.100	suspicious
142.250.115.26 whois	GOOGLE	142.250.115.26	clean
139.162.210.252 whois	Linode, LLC	139.162.210.252	mailcious
104.17.9.99 whois	CLOUDFLARENET	104.17.9.99	clean
52.101.11.2 whois	MICROSOFT-CORP-MSN-AS-BLOCK	52.101.11.2	clean
104.47.24.36 whois	MICROSOFT-CORP-MSN-AS-BLOCK	104.47.24.36	clean
3.130.253.23 whois	AMAZON-02	3.130.253.23	mailcious
198.58.118.167 whois	Linode, LLC	198.58.118.167	mailcious
67.225.236.47 whois	LIQUIDWEB	67.225.236.47	clean
67.227.237.112 whois	LIQUIDWEB	67.227.237.112	clean
172.67.9.103 whois	CLOUDFLARENET	172.67.9.103	clean
142.250.152.26 whois	GOOGLE	142.250.152.26	clean
223.120.1.10 whois	Level 30, Tower 1	223.120.1.10	clean
103.224.212.212 whois	Trellian Pty. Limited	103.224.212.212	mailcious
104.47.25.36 whois	MICROSOFT-CORP-MSN-AS-BLOCK	104.47.25.36	clean
104.47.74.10 whois	MICROSOFT-CORP-MSN-AS-BLOCK	104.47.74.10	clean
104.26.7.37 whois	CLOUDFLARENET	104.26.7.37	clean
161.35.84.83 whois	DIGITALOCEAN-ASN	161.35.84.83	clean
91.107.214.206 whois	Hetzner Online GmbH	91.107.214.206	clean
81.169.145.97 whois	Strato AG	81.169.145.97	clean
200.16.16.57 whois	Universidad Nacional de Cordoba	200.16.16.57	clean
192.124.249.103 whois	SUCURI-SEC	192.124.249.103	clean
18.64.8.47 whois		18.64.8.47	clean
82.156.150.164 whois		82.156.150.164	clean
216.81.136.20 whois	LIGHTEDGE-AS-02	216.81.136.20	clean
3.18.7.81 whois	AMAZON-02	3.18.7.81	mailcious
3.94.41.167 whois	AMAZON-AES	3.94.41.167	mailcious
3.0.11.115 whois	AMAZON-02	3.0.11.115	clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x40100c TlsGetValue
0x401010 SetLocalTime
0x401014 FindResourceW
0x401018 GlobalAddAtomA
0x40101c GetConsoleAliasA
0x401020 InitializeSListHead
0x401024 CreateJobObjectW
0x401028 SetComputerNameW
0x40102c GetModuleHandleW
0x401030 CreateNamedPipeW
0x401034 GetConsoleAliasesA
0x401038 GetPrivateProfileStringW
0x40103c GetWindowsDirectoryA
0x401040 GetGeoInfoW
0x401044 LoadLibraryW
0x401048 ReadConsoleInputA
0x40104c GetSystemWindowsDirectoryA
0x401050 GetConsoleAliasExesLengthW
0x401054 GetNamedPipeInfo
0x401058 CreateFileW
0x40105c GetVolumePathNameA
0x401060 GetLastError
0x401064 GetComputerNameA
0x401068 GetProcAddress
0x40106c VirtualAlloc
0x401070 EnumDateFormatsExA
0x401074 SearchPathA
0x401078 OpenWaitableTimerA
0x40107c LocalAlloc
0x401080 CreateFileMappingW
0x401084 SetConsoleDisplayMode
0x401088 GetNumberFormatW
0x40108c RemoveDirectoryW
0x401090 SetConsoleWindowInfo
0x401094 GetSystemInfo
0x401098 GlobalFindAtomW
0x40109c FindFirstVolumeMountPointA
0x4010a0 FreeEnvironmentStringsW
0x4010a4 EndUpdateResourceA
0x4010a8 ReadConsoleInputW
0x4010ac GetWindowsDirectoryW
0x4010b0 GetCurrentProcessId
0x4010b4 DebugActiveProcess
0x4010b8 SetLastError
0x4010bc UnhandledExceptionFilter
0x4010c0 SetUnhandledExceptionFilter
0x4010c4 Sleep
0x4010c8 ExitProcess
0x4010cc GetCommandLineA
0x4010d0 GetStartupInfoA
0x4010d4 RaiseException
0x4010d8 RtlUnwind
0x4010dc WriteFile
0x4010e0 GetStdHandle
0x4010e4 GetModuleFileNameA
0x4010e8 TerminateProcess
0x4010ec GetCurrentProcess
0x4010f0 IsDebuggerPresent
0x4010f4 HeapAlloc
0x4010f8 HeapFree
0x4010fc EnterCriticalSection
0x401100 LeaveCriticalSection
0x401104 SetHandleCount
0x401108 GetFileType
0x40110c DeleteCriticalSection
0x401110 TlsAlloc
0x401114 TlsSetValue
0x401118 TlsFree
0x40111c InterlockedIncrement
0x401120 GetCurrentThreadId
0x401124 InterlockedDecrement
0x401128 CloseHandle
0x40112c LoadLibraryA
0x401130 InitializeCriticalSectionAndSpinCount
0x401134 FreeEnvironmentStringsA
0x401138 GetEnvironmentStrings
0x40113c WideCharToMultiByte
0x401140 GetEnvironmentStringsW
0x401144 HeapCreate
0x401148 VirtualFree
0x40114c QueryPerformanceCounter
0x401150 GetTickCount
0x401154 GetSystemTimeAsFileTime
0x401158 HeapReAlloc
0x40115c GetModuleHandleA
0x401160 SetFilePointer
0x401164 GetConsoleCP
0x401168 GetConsoleMode
0x40116c GetCPInfo
0x401170 GetACP
0x401174 GetOEMCP
0x401178 IsValidCodePage
0x40117c SetStdHandle
0x401180 FlushFileBuffers
0x401184 HeapSize
0x401188 GetLocaleInfoA
0x40118c WriteConsoleA
0x401190 GetConsoleOutputCP
0x401194 WriteConsoleW
0x401198 MultiByteToWideChar
0x40119c LCMapStringA
0x4011a0 LCMapStringW
0x4011a4 GetStringTypeA
0x4011a8 GetStringTypeW
0x4011ac CreateFileA
USER32.dll
0x4011b4 GetMessageExtraInfo
0x4011b8 CharToOemBuffA
GDI32.dll
0x401000 GetCharWidth32A
0x401004 GetCharABCWidthsFloatW

EAT(Export Address Table) is none

Report - sservc.exe

Signature (26cnts)

Rules (19cnts)

Network (334cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure