Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
svchostinter.exe

Overview

General Information

Sample name:svchostinter.exe
Analysis ID:1564408
MD5:61f3c4028bb365ed68eccb303b411043
SHA1:46b41e18817579f95dfc7efaf8ae799337129b39
SHA256:c30fc17df989f401a1518088a58bef58c6e0ee7b91960452a547c87af9cda957
Tags:CobaltStrikeexemalwareuser-Joker
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Performs DNS queries to domains with low reputation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • svchostinter.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\svchostinter.exe" MD5: 61F3C4028BB365ED68ECCB303B411043)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 8443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "632313373.xyz,/api/3", "HttpPostUri": "/api/4", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": "Host: 632313373.xyz\r\n"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
    00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
      • 0x32760:$a39: %s as %s\%s: %d
      • 0x41be2:$a41: beacon.x64.dll
      • 0x33970:$a46: %s (admin)
      • 0x328d8:$a48: %s%s: %s
      • 0x3278c:$a50: %02d/%02d/%02d %02d:%02d:%02d
      • 0x327b8:$a50: %02d/%02d/%02d %02d:%02d:%02d
      • 0x339d9:$a51: Content-Length: %d
      00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
      • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
      00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
      • 0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      • 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.svchostinter.exe.2300000.1.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
        0.2.svchostinter.exe.2300000.1.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
          0.2.svchostinter.exe.2300000.1.unpackJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
            0.2.svchostinter.exe.2300000.1.unpackWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
            • 0x1c13c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
            0.2.svchostinter.exe.2300000.1.unpackWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
            • 0x17d6a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
            • 0x1909b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
            Click to see the 8 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://632313373.xyz:8443/api/3rAvira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/api/34Avira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/IAvira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/api/3IAvira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/api/3aAvira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/api/3uAvira URL Cloud: Label: malware
            Source: https://632313373.xyz/BAvira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/api/3Avira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/api/3.xyz:8443/api/3Avira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/api/3LAvira URL Cloud: Label: malware
            Source: https://632313373.xyz/Avira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/Avira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/api/332Avira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/api/3GAvira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/api/3d06BAvira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/-Avira URL Cloud: Label: malware
            Source: 632313373.xyzAvira URL Cloud: Label: malware
            Source: https://632313373.xyz:8443/api/3edAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 8443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "632313373.xyz,/api/3", "HttpPostUri": "/api/4", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": "Host: 632313373.xyz\r\n"}
            Multi AV Scanner detection for submitted file
            Source: svchostinter.exeReversingLabs: Detection: 52%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 632313373.xyz
            Performs DNS queries to domains with low reputation
            Source: DNS query: 632313373.xyz
            Source: Joe Sandbox ViewIP Address: 172.67.175.230 172.67.175.230
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: 632313373.xyz
            Source: svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.000000000016B000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1515190279.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121273627.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337719902.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624542805.000000000016A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/gsr1.crl0
            Source: svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000103000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121349990.000000000017C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337719902.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000167000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2498638037.0000000000770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/r4.crl0
            Source: svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.000000000016B000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121273627.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000167000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2498638037.0000000000770000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.0000000000167000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/PCUeQViQlYc.crl0
            Source: svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.000000000016B000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1515190279.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121273627.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337719902.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624542805.000000000016A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crt0-
            Source: svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000103000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121349990.000000000017C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337719902.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000167000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2498638037.0000000000770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/r4.crt0
            Source: svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.000000000016B000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121273627.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000167000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2498638037.0000000000770000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.0000000000167000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/we1.crt0
            Source: svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.000000000016B000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121273627.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000167000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2498638037.0000000000770000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.0000000000167000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/lk00%
            Source: svchostinter.exe, 00000000.00000003.2202385626.0000000000116000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000116000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000116000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz/
            Source: svchostinter.exe, 00000000.00000003.2202385626.0000000000116000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000116000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000116000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz/B
            Source: svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/
            Source: svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/-
            Source: svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/I
            Source: svchostinter.exe, 00000000.00000003.1487257380.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/3
            Source: svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/3.xyz:8443/api/3
            Source: svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/332
            Source: svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/34
            Source: svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/3G
            Source: svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/3I
            Source: svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/3L
            Source: svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/3a
            Source: svchostinter.exe, 00000000.00000003.2202385626.0000000000103000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/3d06B
            Source: svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/3ed
            Source: svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/3r
            Source: svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://632313373.xyz:8443/api/3u

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.svchostinter.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
            Source: 0.2.svchostinter.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
            Source: 0.2.svchostinter.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: 0.2.svchostinter.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
            Source: 0.2.svchostinter.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
            Source: 0.2.svchostinter.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
            Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
            Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
            Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
            Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
            Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
            Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
            Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
            Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
            Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
            Source: Process Memory Space: svchostinter.exe PID: 6176, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_004020B00_2_004020B0
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_004031700_2_00403170
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_004603600_2_00460360
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_00401B200_2_00401B20
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_004603A80_2_004603A8
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_023212640_2_02321264
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0232AAB00_2_0232AAB0
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_023103340_2_02310334
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_023203740_2_02320374
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0232C3970_2_0232C397
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0232239C0_2_0232239C
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_023219280_2_02321928
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_023259140_2_02325914
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0230916C0_2_0230916C
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0230CE3C0_2_0230CE3C
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0232E6000_2_0232E600
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_023096800_2_02309680
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0232C6800_2_0232C680
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_02316F380_2_02316F38
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0232B7B00_2_0232B7B0
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0232CFF00_2_0232CFF0
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0231F5A80_2_0231F5A8
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0257D2800_2_0257D280
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_02567B380_2_02567B38
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0257DBF00_2_0257DBF0
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_025701A80_2_025701A8
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_02571E640_2_02571E64
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_02572F9C0_2_02572F9C
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_025725280_2_02572528
            Source: svchostinter.exeStatic PE information: Number of sections : 18 > 10
            Source: 0.2.svchostinter.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
            Source: 0.2.svchostinter.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
            Source: 0.2.svchostinter.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: 0.2.svchostinter.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
            Source: 0.2.svchostinter.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
            Source: 0.2.svchostinter.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
            Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
            Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
            Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
            Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
            Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
            Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
            Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
            Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
            Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
            Source: Process Memory Space: svchostinter.exe PID: 6176, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/1
            Source: svchostinter.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\svchostinter.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: svchostinter.exeReversingLabs: Detection: 52%
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
            Source: svchostinter.exeStatic PE information: section name: .xdata
            Source: svchostinter.exeStatic PE information: section name: /4
            Source: svchostinter.exeStatic PE information: section name: /19
            Source: svchostinter.exeStatic PE information: section name: /31
            Source: svchostinter.exeStatic PE information: section name: /45
            Source: svchostinter.exeStatic PE information: section name: /57
            Source: svchostinter.exeStatic PE information: section name: /70
            Source: svchostinter.exeStatic PE information: section name: /81
            Source: svchostinter.exeStatic PE information: section name: /92
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0045F9A0 push rax; retf 0_2_0045F9A1
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0233776C push 0000006Ah; retf 0_2_02337784
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0255A35D push edi; iretd 0_2_0255A35E
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_025803FC push ebp; iretd 0_2_02580401
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0257B84F push ebp; iretd 0_2_0257B850
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0257B86F push ebp; iretd 0_2_0257B870
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0257B898 push ebp; iretd 0_2_0257B899
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0255C91C pushad ; retf 0_2_0255C91D
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_02560901 push ebx; iretd 0_2_02560902
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0255A71E push cs; retf 0_2_0255A71F
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0255BD58 push ebp; iretd 0_2_0255BD59
            Source: C:\Users\user\Desktop\svchostinter.exe TID: 5100Thread sleep count: 44 > 30Jump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exe TID: 5100Thread sleep time: -2640000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\svchostinter.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\svchostinter.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\svchostinter.exeThread delayed: delay time: 60000Jump to behavior
            Source: svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000125000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000125000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000125000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

            Anti Debugging

            barindex
            Found API chain indicative of debugger detection
            Source: C:\Users\user\Desktop\svchostinter.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_0-39461
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0040D110 free,IsDebuggerPresent,RaiseException,0_2_0040D110
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,0_2_00401180
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_00409020 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_00409020
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_00460498 SetUnhandledExceptionFilter,0_2_00460498
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_0040F182 SetUnhandledExceptionFilter,0_2_0040F182
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_00408F40 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00408F40
            Source: C:\Users\user\Desktop\svchostinter.exeCode function: 0_2_02565E28 GetUserNameA,strrchr,_snprintf,0_2_02565E28
            Source: C:\Users\user\Desktop\svchostinter.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Remote Access Functionality

            barindex
            Yara detected CobaltStrike
            Source: Yara matchFile source: 0.2.svchostinter.exe.2300000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: svchostinter.exe PID: 6176, type: MEMORYSTR
            Source: Yara matchFile source: 0.2.svchostinter.exe.2300000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		1
            DLL Side-Loading            		111
            Virtualization/Sandbox Evasion            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            DLL Side-Loading            		LSASS Memory111
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Obfuscated Files or Information            		Security Account Manager111
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive11
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
            Account Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
            System Owner/User Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials3
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            svchostinter.exe53%ReversingLabsWin64.Trojan.CobaltStrike

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://632313373.xyz:8443/api/3r100%Avira URL Cloudmalware
            https://632313373.xyz:8443/api/34100%Avira URL Cloudmalware
            https://632313373.xyz:8443/I100%Avira URL Cloudmalware
            https://632313373.xyz:8443/api/3I100%Avira URL Cloudmalware
            https://632313373.xyz:8443/api/3a100%Avira URL Cloudmalware
            https://632313373.xyz:8443/api/3u100%Avira URL Cloudmalware
            https://632313373.xyz/B100%Avira URL Cloudmalware
            https://632313373.xyz:8443/api/3100%Avira URL Cloudmalware
            https://632313373.xyz:8443/api/3.xyz:8443/api/3100%Avira URL Cloudmalware
            https://632313373.xyz:8443/api/3L100%Avira URL Cloudmalware
            https://632313373.xyz/100%Avira URL Cloudmalware
            https://632313373.xyz:8443/100%Avira URL Cloudmalware
            https://632313373.xyz:8443/api/332100%Avira URL Cloudmalware
            https://632313373.xyz:8443/api/3G100%Avira URL Cloudmalware
            https://632313373.xyz:8443/api/3d06B100%Avira URL Cloudmalware
            https://632313373.xyz:8443/-100%Avira URL Cloudmalware
            632313373.xyz100%Avira URL Cloudmalware
            https://632313373.xyz:8443/api/3ed100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            632313373.xyz
            		172.67.175.230
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              632313373.xyztrue
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://o.pki.goog/s/we1/lk00%svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.000000000016B000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121273627.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000167000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2498638037.0000000000770000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.0000000000167000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://632313373.xyz:8443/api/3usvchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://632313373.xyz:8443/api/34svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://i.pki.goog/we1.crt0svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.000000000016B000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121273627.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000167000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2498638037.0000000000770000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.0000000000167000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://632313373.xyz:8443/api/3rsvchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://632313373.xyz:8443/Isvchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://c.pki.goog/r/gsr1.crl0svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.000000000016B000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1515190279.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121273627.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337719902.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624542805.000000000016A000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://632313373.xyz:8443/api/3svchostinter.exe, 00000000.00000003.1487257380.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://632313373.xyz:8443/api/3asvchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://632313373.xyz:8443/api/3.xyz:8443/api/3svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://632313373.xyz:8443/api/3Lsvchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://632313373.xyz/Bsvchostinter.exe, 00000000.00000003.2202385626.0000000000116000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000116000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000116000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://632313373.xyz:8443/api/3Isvchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://c.pki.goog/we1/PCUeQViQlYc.crl0svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.000000000016B000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121273627.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000167000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2498638037.0000000000770000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.0000000000167000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://632313373.xyz:8443/svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://i.pki.goog/gsr1.crt0-svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337667539.000000000016B000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1515190279.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121273627.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337719902.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624542805.000000000016A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://c.pki.goog/r/r4.crl0svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000103000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121349990.000000000017C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337719902.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000167000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2498638037.0000000000770000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://632313373.xyz/svchostinter.exe, 00000000.00000003.2202385626.0000000000116000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000116000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000116000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://632313373.xyz:8443/api/332svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://632313373.xyz:8443/api/3edsvchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://i.pki.goog/r4.crt0svchostinter.exe, 00000000.00000002.2497226681.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202540563.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121381909.0000000000172000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1624562389.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000166000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000168000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000103000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677824633.000000000016F000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000163000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.000000000009C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.000000000017A000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1677883739.0000000000164000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000101000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2121349990.000000000017C000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1337719902.0000000000169000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.2202385626.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1487257380.0000000000167000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000002.2498638037.0000000000770000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://632313373.xyz:8443/api/3d06Bsvchostinter.exe, 00000000.00000003.2202385626.0000000000103000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://632313373.xyz:8443/api/3Gsvchostinter.exe, 00000000.00000002.2497226681.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://632313373.xyz:8443/-svchostinter.exe, 00000000.00000003.1433002391.0000000000132000.00000004.00000020.00020000.00000000.sdmp, svchostinter.exe, 00000000.00000003.1768761266.0000000000132000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            172.67.175.230
                            		632313373.xyzUnited States
                            		13335CLOUDFLARENETUStrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1564408
                            Start date and time:2024-11-28 09:53:07 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 4m 18s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:13
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:svchostinter.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 14
                            • Number of non-executed functions: 139
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: svchostinter.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            03:54:06API Interceptor44x Sleep call for process: svchostinter.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            172.67.175.230installer.exeGet hashmaliciousLummaCBrowse
                              d3d9.dllGet hashmaliciousLummaCBrowse
                                vdCC5gzAn6.exeGet hashmaliciousLummaCBrowse
                                  vercath63.b-cdn.ps1Get hashmaliciousLummaC, Go InjectorBrowse
                                    Fluxus_Installer.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                      KEie4St7TtGet hashmaliciousUnknownBrowse
                                        Linux_x86Get hashmaliciousUnknownBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CLOUDFLARENETUSOUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                          • 104.21.57.248
                                          Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 172.67.222.69
                                          inseminating.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 172.67.177.134
                                          https://public-fra.mkt.dynamics.com/api/orgs/85a8c477-bea7-ef11-8a66-0022483994f9/r/MKSqoVs73k-RUO5uHPfRswIAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fassets-fra.mkt.dynamics.com%252F85a8c477-bea7-ef11-8a66-0022483994f9%252Fdigitalassets%252Fstandaloneforms%252F46042089-b8ac-ef11-a72d-6045bd6e29e8%22%2C%22RedirectOptions%22%3A%7B%226%22%3A%22mktprf9fb729cc84d74db3bce9a30da7409e87eoprf%22%2C%221%22%3Anull%7D%7D&digest=juexwq7Jl6DCR7CneIIynCjAtNPRJ1FxLmm99rnbDLA%3D&secretVersion=02e7c83d621d4269af2f08a8e4e233cfGet hashmaliciousUnknownBrowse
                                          • 104.21.86.60
                                          https://www.google.rs/url?q=160CHARtTPSJ3J3wDyycT&sa=t&esrc=TYsrCFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=HARlDJVS0YXpPkDfJ6C&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/aloperdehatti.com/on/wTARVgfa92/%61%6C%65%73%73%69%61%2E%64%61%6E%69%65%6C%65%40%74%6F%6E%69%6E%63%61%73%61%2E%69%74&ugs=n8CoFFz5hZ4Yaxn3ZJryvKlaQxQ-BOyvjZ0GlahI9shjnWfTZ1du_w==Get hashmaliciousUnknownBrowse
                                          • 104.17.25.14
                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                          • 172.64.41.3
                                          A27D-Pikolinos Digital Advertising Strategy.docx.lnk.download.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                          • 172.65.251.78
                                          hnsdfs2711.batGet hashmaliciousAbobus ObfuscatorBrowse
                                          • 172.65.251.78
                                          HNsuunto27.batGet hashmaliciousAbobus ObfuscatorBrowse
                                          • 172.65.251.78
                                          https://pixmar.co.za/.well-known/.js/Get hashmaliciousUnknownBrowse
                                          • 104.18.95.41

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                          Entropy (8bit):7.194735838511048
                                          TrID:
                                          • Win64 Executable GUI (202006/5) 92.64%
                                          • Win64 Executable (generic) (12005/4) 5.51%
                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                          • DOS Executable Generic (2002/1) 0.92%
                                          • VXD Driver (31/22) 0.01%
                                          File name:svchostinter.exe
                                          File size:474'329 bytes
                                          MD5:61f3c4028bb365ed68eccb303b411043
                                          SHA1:46b41e18817579f95dfc7efaf8ae799337129b39
                                          SHA256:c30fc17df989f401a1518088a58bef58c6e0ee7b91960452a547c87af9cda957
                                          SHA512:2ef11da22537f071bec58015248597d8747b7de62989262568376a15d61bb3e328271ea950488f5dcbb1913556119fbb37898d704d884558a58581e400495548
                                          SSDEEP:12288:jVzXVcGcT62x/JtPCAw5UHsOWgnZK/LI+tmiV/+1Edh:JzXA62x/i1OTnZi3V/+1Edh
                                          TLSH:E4A4AD637FA5CF59D8057338A6DB9528573AF0ED03120F0A5623AA33FE53880759EB64
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...V.6g.Z........'...........................@............................................... ............................

                                          File Icon

                                          Icon Hash:13170f0f8f060c0c

                                          Static PE Info

                                          General

                                          Entrypoint:0x4014b0
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
                                          DLL Characteristics:
                                          Time Stamp:0x6736F756 [Fri Nov 15 07:25:10 2024 UTC]
                                          TLS Callbacks:0x409150
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:5b928a8f4e4a094efc0701738c18f7f0

                                          Entrypoint Preview

                                          Instruction
                                          dec eax
                                          sub esp, 28h
                                          dec eax
                                          mov eax, dword ptr [0005B7F5h]
                                          mov dword ptr [eax], 00000001h
                                          call 00007F909886291Fh
                                          call 00007F909885AB5Ah
                                          nop
                                          nop
                                          dec eax
                                          add esp, 28h
                                          ret
                                          nop dword ptr [eax+00h]
                                          nop word ptr [eax+eax+00000000h]
                                          dec eax
                                          sub esp, 28h
                                          dec eax
                                          mov eax, dword ptr [0005B7C5h]
                                          mov dword ptr [eax], 00000000h
                                          call 00007F90988628EFh
                                          call 00007F909885AB2Ah
                                          nop
                                          nop
                                          dec eax
                                          add esp, 28h
                                          ret
                                          nop dword ptr [eax+00h]
                                          nop word ptr [eax+eax+00000000h]
                                          dec eax
                                          sub esp, 28h
                                          call 00007F9098863FA4h
                                          dec eax
                                          test eax, eax
                                          sete al
                                          movzx eax, al
                                          neg eax
                                          dec eax
                                          add esp, 28h
                                          ret
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          dec eax
                                          lea ecx, dword ptr [00000009h]
                                          jmp 00007F909885AE79h
                                          nop dword ptr [eax+00h]
                                          ret
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          push edi
                                          push esi
                                          push ebx
                                          dec eax
                                          sub esp, 20h
                                          dec eax
                                          mov eax, dword ptr [ecx+08h]
                                          dec eax
                                          test eax, eax
                                          dec eax
                                          mov esi, ecx
                                          dec eax
                                          mov ebx, edx
                                          je 00007F909885AED8h
                                          dec eax
                                          mov edi, dword ptr [eax]
                                          dec eax
                                          mov eax, dword ptr [edx]
                                          dec eax
                                          cmp dword ptr [edx+08h], eax
                                          jle 00007F909885AF20h
                                          dec eax
                                          lea edx, dword ptr [esi+08h]
                                          dec eax

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x600000xe28.idata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000x1398.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5d0000xf0c.pdata
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x5c5e00x28.rdata
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x603580x308.idata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000xe4980xe600fbb9c0438dc4c2127087b7049c66376eFalse0.5271059782608696data6.216214437930655IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .data0x100000x4b3600x4b4005cdfe59af8f8c6baaf8ece22d0516dd8False0.6853100342607974data7.433537548333141IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rdata0x5c0000xd100xe00a96f5fdad948cc7cde991fd1050d7d9dFalse0.40625data4.583284955248966IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                          .pdata0x5d0000xf0c0x100022ebade26ebc9960ca8250e61716ffb4False0.46728515625data4.673330528241354IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                          .xdata0x5e0000xd900xe00bc35f906da09210655f49331958d3ca6False0.22433035714285715data4.042408256669859IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                          .bss0x5f0000xae00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .idata0x600000xe280x1000faf38979b5e556d3af7021a8a6208319False0.29931640625data3.961484142958882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .CRT0x610000x700x2009188999fffb8b4aab400a7e227e96594False0.076171875data0.3242125245953951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .tls0x620000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0x630000x13980x1398f2be25bf0967f068e9e7e30e3472b29cFalse0.2458133971291866data3.911829265260592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          /40x650000x800x200e66e45f53d54b7b6505ca6e8f0aa7290False0.103515625data0.39435882474477IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          /190x660000x475e0x480095b0ff65c5b67c59d55e116eb7438553False0.3928493923611111data5.967488568036755IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          /310x6b0000x5000x600376602388f36e2131f481e79b13268c6False0.3111979166666667data4.2370580733237615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          /450x6c0000x7040x800719659a21f2b0018949cdb1b4e93d25eFalse0.43505859375data5.113895082808044IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          /570x6d0000x1300x2002a0e45445341847b4184e143318fed09False0.375data2.655788533516559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          /700x6e0000x12c0x200da6bb64456072fa6a17880b326fe66d6False0.375data3.8316609167251707IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          /810x6f0000x74e0x800a8b47f9f9dccfbe27b4a40e1d68fd415False0.21728515625data1.7520776596242025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          /920x700000x1f00x20086fa71369197029a259ef41e9e0d6f40False0.193359375data0.9967668471309872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0x630f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.1977016885553471
                                          RT_GROUP_ICON0x641a00x14dataEnglishUnited States1.1
                                          RT_MANIFEST0x641b80x1caXML 1.0 document, ASCII text, with very long lines (456), with CRLF line terminatorsEnglishUnited States0.5764192139737991

                                          Imports

                                          DLLImport
                                          KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetStartupInfoA, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, OutputDebugStringA, QueryPerformanceCounter, RaiseException, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetEvent, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SuspendThread, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject
                                          msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthreadex, _cexit, _endthreadex, _fileno, _fmode, _initterm, _onexit, _setjmp, _setmode, _strdup, _ultoa, abort, calloc, exit, fflush, fprintf, free, fwrite, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strlen, strncmp, vfprintf
                                          USER32.dllMessageBoxA

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 28, 2024 09:54:04.289431095 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:04.409523964 CET844349699172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:04.409706116 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:04.418823004 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:04.538726091 CET844349699172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:05.544615984 CET844349699172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:05.544680119 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:05.544694901 CET844349699172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:05.544706106 CET844349699172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:05.544737101 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:05.544797897 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:05.648535967 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:05.768392086 CET844349699172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:05.971488953 CET844349699172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:05.971564054 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:05.979470968 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:06.099384069 CET844349699172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:07.277800083 CET844349699172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:07.277879000 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:07.398835897 CET497008443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:07.518814087 CET844349700172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:07.518886089 CET497008443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:07.519221067 CET497008443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:07.639065027 CET844349700172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:08.700182915 CET844349700172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:08.700783014 CET497008443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:08.701337099 CET497008443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:08.702585936 CET497008443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:08.821243048 CET844349700172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:08.822529078 CET844349700172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:10.080346107 CET844349700172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:10.082700014 CET497008443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:10.196095943 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:10.196527958 CET497018443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:10.316430092 CET844349699172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:10.316477060 CET844349701172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:10.316507101 CET496998443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:10.316559076 CET497018443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:10.316842079 CET497018443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:10.438766003 CET844349701172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:11.406970978 CET844349701172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:11.407038927 CET497018443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:11.412343979 CET497018443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:11.413758039 CET497018443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:11.532299042 CET844349701172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:11.533624887 CET844349701172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:12.720530033 CET844349701172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:12.720705986 CET497018443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:12.835832119 CET497008443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:12.844260931 CET497038443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:12.956413984 CET844349700172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:12.956526995 CET497008443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:12.964236975 CET844349703172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:12.964317083 CET497038443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:12.964660883 CET497038443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:13.084481001 CET844349703172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:14.216970921 CET844349703172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:14.217076063 CET497038443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:14.217531919 CET497038443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:14.218924046 CET497038443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:14.337394953 CET844349703172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:14.338790894 CET844349703172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:16.891623974 CET844349703172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:16.891690969 CET497038443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:17.007782936 CET497018443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:17.008599043 CET497148443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:17.128093004 CET844349701172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:17.128206968 CET497018443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:17.128643036 CET844349714172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:17.128720045 CET497148443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:17.129060030 CET497148443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:17.248940945 CET844349714172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:18.263674021 CET844349714172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:18.263770103 CET497148443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:18.264144897 CET497148443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:18.265197992 CET497148443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:18.384203911 CET844349714172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:18.385086060 CET844349714172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:19.595813990 CET844349714172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:19.595885038 CET497148443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:19.710870981 CET497038443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:19.711380005 CET497188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:19.831072092 CET844349703172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:19.831135988 CET497038443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:19.831295013 CET844349718172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:19.831362009 CET497188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:19.832046986 CET497188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:19.951996088 CET844349718172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:20.921863079 CET844349718172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:20.921920061 CET497188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:20.922615051 CET497188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:20.924720049 CET497188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:21.042562008 CET844349718172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:21.044692039 CET844349718172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:22.266448975 CET844349718172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:22.266527891 CET497188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:22.369194031 CET497148443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:22.379525900 CET497248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:22.489453077 CET844349714172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:22.489528894 CET497148443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:22.499509096 CET844349724172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:22.499588013 CET497248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:22.500169992 CET497248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:22.620039940 CET844349724172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:23.681529999 CET844349724172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:23.681623936 CET497248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:23.683171988 CET497248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:23.683171988 CET497248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:23.803093910 CET844349724172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:23.803412914 CET844349724172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:25.042820930 CET844349724172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:25.042923927 CET497248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:25.160135984 CET497188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:25.160620928 CET497338443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:25.280333996 CET844349718172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:25.280422926 CET497188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:25.280581951 CET844349733172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:25.280766964 CET497338443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:25.281197071 CET497338443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:25.401055098 CET844349733172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:26.460211039 CET844349733172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:26.460454941 CET497338443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:26.461137056 CET497338443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:26.464593887 CET497338443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:26.594803095 CET844349733172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:26.594822884 CET844349733172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:27.783818960 CET844349733172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:27.786150932 CET497338443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:27.929637909 CET497248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:27.930407047 CET497408443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:28.049928904 CET844349724172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:28.050151110 CET497248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:28.050333977 CET844349740172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:28.050515890 CET497408443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:28.052980900 CET497408443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:28.172838926 CET844349740172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:29.138639927 CET844349740172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:29.138859987 CET497408443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:29.139276981 CET497408443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:29.140486002 CET497408443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:29.260293961 CET844349740172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:29.261224031 CET844349740172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:30.479065895 CET844349740172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:30.479198933 CET497408443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:30.585968971 CET497338443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:30.593130112 CET497478443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:30.706304073 CET844349733172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:30.706450939 CET497338443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:30.715555906 CET844349747172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:30.715663910 CET497478443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:30.716047049 CET497478443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:30.835988998 CET844349747172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:31.848298073 CET844349747172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:31.848444939 CET497478443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:31.848886967 CET497478443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:31.850207090 CET497478443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:31.968867064 CET844349747172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:31.970091105 CET844349747172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:33.149585009 CET844349747172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:33.149645090 CET497478443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:33.259219885 CET497408443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:33.259820938 CET497538443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:33.379482031 CET844349740172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:33.379538059 CET497408443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:33.379734039 CET844349753172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:33.379796982 CET497538443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:33.380172968 CET497538443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:33.500255108 CET844349753172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:34.515358925 CET844349753172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:34.515461922 CET497538443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:34.515965939 CET497538443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:34.517162085 CET497538443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:34.635858059 CET844349753172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:34.637010098 CET844349753172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:35.858922958 CET844349753172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:35.859031916 CET497538443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:35.961133003 CET497478443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:35.961592913 CET497588443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:36.081696033 CET844349747172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:36.081840038 CET497478443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:36.081980944 CET844349758172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:36.082056999 CET497588443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:36.082458973 CET497588443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:36.202491999 CET844349758172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:37.305840969 CET844349758172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:37.305896997 CET497588443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:37.306211948 CET497588443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:37.307260036 CET497588443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:37.426122904 CET844349758172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:37.427215099 CET844349758172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:38.710068941 CET844349758172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:38.710161924 CET497588443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:38.820346117 CET497538443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:38.820804119 CET497668443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:38.940648079 CET844349753172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:38.940768957 CET497538443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:38.940783978 CET844349766172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:38.940855026 CET497668443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:38.941175938 CET497668443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:39.061047077 CET844349766172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:40.074929953 CET844349766172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:40.075012922 CET497668443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:40.075396061 CET497668443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:40.076385975 CET497668443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:40.195285082 CET844349766172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:40.196346045 CET844349766172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:41.414092064 CET844349766172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:41.414185047 CET497668443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:41.523464918 CET497588443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:41.527374029 CET497748443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:41.643659115 CET844349758172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:41.643740892 CET497588443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:41.647425890 CET844349774172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:41.647499084 CET497748443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:41.647835970 CET497748443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:41.767693043 CET844349774172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:42.753256083 CET844349774172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:42.753401041 CET497748443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:42.754143953 CET497748443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:42.755213976 CET497748443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:42.874034882 CET844349774172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:42.875096083 CET844349774172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:44.027632952 CET844349774172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:44.027693033 CET497748443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:44.132750988 CET497668443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:44.133266926 CET497808443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:44.253290892 CET844349766172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:44.253459930 CET844349780172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:44.253525972 CET497668443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:44.253582954 CET497808443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:44.253931046 CET497808443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:44.373773098 CET844349780172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:45.386734962 CET844349780172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:45.386811972 CET497808443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:45.390239000 CET497808443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:45.399108887 CET497808443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:45.512600899 CET844349780172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:45.521526098 CET844349780172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:46.741605997 CET844349780172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:46.741691113 CET497808443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:46.851644993 CET497748443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:46.859826088 CET497878443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:46.972023010 CET844349774172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:46.972089052 CET497748443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:46.979757071 CET844349787172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:46.979842901 CET497878443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:46.980182886 CET497878443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:47.100049973 CET844349787172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:48.198847055 CET844349787172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:48.198929071 CET497878443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:48.211241007 CET497878443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:48.219610929 CET497878443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:48.331634045 CET844349787172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:48.339591026 CET844349787172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:49.566291094 CET844349787172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:49.566469908 CET497878443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:49.679835081 CET497808443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:49.680309057 CET497938443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:49.800174952 CET844349780172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:49.800268888 CET497808443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:49.800393105 CET844349793172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:49.800465107 CET497938443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:49.800754070 CET497938443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:49.920598030 CET844349793172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:50.949328899 CET844349793172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:50.949420929 CET497938443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:50.949834108 CET497938443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:50.950864077 CET497938443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:51.069783926 CET844349793172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:51.070751905 CET844349793172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:53.187223911 CET844349793172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:53.187298059 CET497938443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:53.289236069 CET497878443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:53.289736986 CET498028443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:53.409431934 CET844349787172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:53.409507036 CET497878443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:53.409600019 CET844349802172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:53.409859896 CET498028443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:53.410141945 CET498028443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:53.531193972 CET844349802172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:54.497344017 CET844349802172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:54.497530937 CET498028443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:54.498003960 CET498028443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:54.499047041 CET498028443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:54.618000031 CET844349802172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:54.618935108 CET844349802172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:55.832390070 CET844349802172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:55.832463026 CET498028443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:55.945410013 CET497938443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:55.954467058 CET498088443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:56.065690994 CET844349793172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:56.065807104 CET497938443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:56.074717045 CET844349808172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:56.074812889 CET498088443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:56.075134039 CET498088443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:56.195029974 CET844349808172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:57.254997969 CET844349808172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:57.255078077 CET498088443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:57.260839939 CET498088443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:57.263169050 CET498088443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:57.381059885 CET844349808172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:57.383105993 CET844349808172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:58.595587969 CET844349808172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:58.598731995 CET498088443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:58.711074114 CET498028443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:58.711524963 CET498158443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:58.831320047 CET844349802172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:58.831396103 CET844349815172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:58.831497908 CET498028443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:58.831533909 CET498158443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:58.831845045 CET498158443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:58.951724052 CET844349815172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:59.987442970 CET844349815172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:54:59.987550020 CET498158443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:54:59.988725901 CET498158443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:00.001776934 CET498158443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:00.108617067 CET844349815172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:00.121891022 CET844349815172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:01.323395014 CET844349815172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:01.323504925 CET498158443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:01.430150986 CET498088443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:01.430653095 CET498218443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:01.550734043 CET844349821172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:01.551234007 CET844349808172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:01.551384926 CET498088443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:01.551744938 CET498218443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:01.551744938 CET498218443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:01.671843052 CET844349821172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:02.696099997 CET844349821172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:02.696177006 CET498218443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:02.696611881 CET498218443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:02.703886986 CET498218443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:02.816859007 CET844349821172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:02.823966026 CET844349821172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:04.035514116 CET844349821172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:04.035617113 CET498218443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:04.148621082 CET498158443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:04.149056911 CET498278443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:04.269022942 CET844349815172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:04.269057989 CET844349827172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:04.269078970 CET498158443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:04.269146919 CET498278443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:04.269450903 CET498278443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:04.389477968 CET844349827172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:05.403137922 CET844349827172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:05.403211117 CET498278443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:05.403628111 CET498278443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:05.404613018 CET498278443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:05.523521900 CET844349827172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:05.524703979 CET844349827172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:06.775496960 CET844349827172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:06.775557041 CET498278443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:06.882894993 CET498218443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:06.883347988 CET498348443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:07.065737009 CET844349834172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:07.065753937 CET844349821172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:07.065830946 CET498348443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:07.065853119 CET498218443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:07.066148043 CET498348443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:07.186002970 CET844349834172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:08.153637886 CET844349834172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:08.156689882 CET498348443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:08.157059908 CET498348443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:08.158009052 CET498348443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:08.276937962 CET844349834172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:08.277887106 CET844349834172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:09.491096020 CET844349834172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:09.491159916 CET498348443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:09.601711988 CET498278443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:09.602247953 CET498418443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:09.721978903 CET844349827172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:09.722135067 CET844349841172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:09.722131014 CET498278443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:09.722214937 CET498418443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:09.722573042 CET498418443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:09.843451977 CET844349841172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:10.815428972 CET844349841172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:10.815496922 CET498418443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:10.815995932 CET498418443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:10.817084074 CET498418443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:10.935895920 CET844349841172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:10.937032938 CET844349841172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:12.159091949 CET844349841172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:12.159328938 CET498418443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:12.273518085 CET498348443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:12.273972988 CET498498443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:12.393919945 CET844349834172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:12.393949986 CET844349849172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:12.394022942 CET498348443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:12.394078016 CET498498443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:12.394428015 CET498498443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:12.514254093 CET844349849172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:13.534322023 CET844349849172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:13.534409046 CET498498443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:13.534794092 CET498498443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:13.535746098 CET498498443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:13.654694080 CET844349849172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:13.655651093 CET844349849172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:14.855689049 CET844349849172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:14.855746031 CET498498443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:14.961078882 CET498418443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:14.961586952 CET498578443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:15.081357002 CET844349841172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:15.081453085 CET844349857172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:15.081492901 CET498418443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:15.081557989 CET498578443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:15.081923008 CET498578443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:15.201822996 CET844349857172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:16.215038061 CET844349857172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:16.215107918 CET498578443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:16.215445995 CET498578443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:16.216538906 CET498578443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:16.335457087 CET844349857172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:16.336433887 CET844349857172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:17.524642944 CET844349857172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:17.524801016 CET498578443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:17.632946968 CET498498443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:17.633413076 CET498638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:17.753279924 CET844349849172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:17.753351927 CET498498443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:17.753381014 CET844349863172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:17.753446102 CET498638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:17.753751993 CET498638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:17.873701096 CET844349863172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:18.887876034 CET844349863172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:18.887960911 CET498638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:18.888339996 CET498638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:18.889488935 CET498638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:19.008277893 CET844349863172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:19.009532928 CET844349863172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:20.206583023 CET844349863172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:20.206722021 CET498638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:20.320461988 CET498578443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:20.321000099 CET498708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:20.441258907 CET844349857172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:20.441380978 CET844349870172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:20.441426992 CET498578443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:20.441505909 CET498708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:20.442122936 CET498708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:20.562165976 CET844349870172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:21.576292038 CET844349870172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:21.576375961 CET498708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:21.576874018 CET498708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:21.577907085 CET498708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:21.696778059 CET844349870172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:21.697781086 CET844349870172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:22.909682989 CET844349870172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:22.909993887 CET498708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:23.023655891 CET498638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:23.024163008 CET498768443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:23.145034075 CET844349863172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:23.145081043 CET844349876172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:23.145102978 CET498638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:23.145159006 CET498768443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:23.145519972 CET498768443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:23.265559912 CET844349876172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:24.280180931 CET844349876172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:24.280266047 CET498768443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:24.280735970 CET498768443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:24.282211065 CET498768443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:24.400655985 CET844349876172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:24.402091026 CET844349876172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:25.667638063 CET844349876172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:25.668669939 CET498768443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:25.773722887 CET498708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:25.774252892 CET498828443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:25.894064903 CET844349870172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:25.894177914 CET498708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:25.894185066 CET844349882172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:25.894268036 CET498828443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:25.894633055 CET498828443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:26.014544964 CET844349882172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:27.076390982 CET844349882172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:27.076459885 CET498828443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:27.076890945 CET498828443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:27.078071117 CET498828443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:27.196789026 CET844349882172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:27.198095083 CET844349882172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:28.478816032 CET844349882172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:28.478894949 CET498828443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:28.586239100 CET498768443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:28.586786985 CET498908443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:28.706769943 CET844349876172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:28.706860065 CET498768443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:28.706891060 CET844349890172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:28.706965923 CET498908443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:28.726763964 CET498908443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:28.846885920 CET844349890172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:29.795109034 CET844349890172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:29.795253038 CET498908443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:29.795681953 CET498908443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:29.796736956 CET498908443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:29.915606022 CET844349890172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:29.920676947 CET844349890172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:31.079591036 CET844349890172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:31.079761982 CET498908443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:31.196659088 CET498828443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:31.211031914 CET498978443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:31.316958904 CET844349882172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:31.317095995 CET498828443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:31.331056118 CET844349897172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:31.331166983 CET498978443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:31.331547022 CET498978443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:31.451436043 CET844349897172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:32.465884924 CET844349897172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:32.465949059 CET498978443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:32.466746092 CET498978443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:32.468868017 CET498978443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:32.586780071 CET844349897172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:32.588850975 CET844349897172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:33.808259010 CET844349897172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:33.808347940 CET498978443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:33.914206982 CET498908443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:33.914827108 CET499048443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:34.035518885 CET844349890172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:34.035676003 CET498908443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:34.035805941 CET844349904172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:34.035892010 CET499048443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:34.036365986 CET499048443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:34.156395912 CET844349904172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:35.215848923 CET844349904172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:35.215943098 CET499048443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:35.216356039 CET499048443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:35.217516899 CET499048443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:35.336303949 CET844349904172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:35.337451935 CET844349904172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:36.628254890 CET844349904172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:36.628683090 CET499048443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:36.742616892 CET498978443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:36.743119001 CET499108443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:36.862953901 CET844349897172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:36.863040924 CET498978443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:36.863046885 CET844349910172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:36.863132000 CET499108443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:36.863500118 CET499108443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:36.983983994 CET844349910172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:37.996891975 CET844349910172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:37.996953964 CET499108443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:37.997524977 CET499108443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:38.004165888 CET499108443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:38.117526054 CET844349910172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:38.124310970 CET844349910172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:39.307748079 CET844349910172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:39.307843924 CET499108443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:39.429905891 CET499048443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:39.430486917 CET499188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:39.550261974 CET844349904172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:39.550348997 CET499048443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:39.550349951 CET844349918172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:39.550417900 CET499188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:39.550754070 CET499188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:39.670692921 CET844349918172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:40.637403965 CET844349918172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:40.637480974 CET499188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:40.642781019 CET499188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:40.644761086 CET499188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:40.762737989 CET844349918172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:40.764813900 CET844349918172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:42.006570101 CET844349918172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:42.006690025 CET499188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:42.117364883 CET499108443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:42.117872000 CET499248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:42.237948895 CET844349910172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:42.237987041 CET844349924172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:42.238059044 CET499108443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:42.238114119 CET499248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:42.238445044 CET499248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:42.358418941 CET844349924172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:43.374982119 CET844349924172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:43.375061989 CET499248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:43.405559063 CET499248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:43.427143097 CET499248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:43.525655031 CET844349924172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:43.547221899 CET844349924172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:44.725574970 CET844349924172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:44.725661993 CET499248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:44.836050034 CET499188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:44.836590052 CET499318443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:44.956284046 CET844349918172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:44.956537008 CET844349931172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:44.956621885 CET499188443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:44.956655979 CET499318443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:44.957009077 CET499318443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:45.077080011 CET844349931172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:46.110037088 CET844349931172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:46.110179901 CET499318443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:46.137954950 CET499318443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:46.139004946 CET499318443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:46.258054972 CET844349931172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:46.258979082 CET844349931172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:47.472023010 CET844349931172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:47.473351955 CET499318443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:47.586268902 CET499248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:47.587061882 CET499388443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:47.706535101 CET844349924172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:47.706980944 CET844349938172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:47.707031012 CET499248443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:47.707096100 CET499388443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:47.707426071 CET499388443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:47.827475071 CET844349938172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:48.841393948 CET844349938172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:48.841481924 CET499388443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:48.869843006 CET499388443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:48.878221035 CET499388443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:48.989788055 CET844349938172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:48.998146057 CET844349938172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:50.200254917 CET844349938172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:50.200336933 CET499388443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:50.304905891 CET499318443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:50.305418968 CET499458443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:50.425187111 CET844349931172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:50.425259113 CET499318443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:50.425311089 CET844349945172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:50.425375938 CET499458443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:50.425643921 CET499458443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:50.545480967 CET844349945172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:51.517923117 CET844349945172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:51.518052101 CET499458443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:51.537313938 CET499458443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:51.540441990 CET499458443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:51.657248974 CET844349945172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:51.660311937 CET844349945172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:52.932281017 CET844349945172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:52.934743881 CET499458443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:53.039432049 CET499388443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:53.039938927 CET499518443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:53.159593105 CET844349938172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:53.159780025 CET844349951172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:53.159801960 CET499388443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:53.159846067 CET499518443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:53.160173893 CET499518443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:53.280004025 CET844349951172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:54.343101978 CET844349951172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:54.343247890 CET499518443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:54.343586922 CET499518443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:54.344520092 CET499518443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:54.463980913 CET844349951172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:54.464433908 CET844349951172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:55.689476013 CET844349951172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:55.689599037 CET499518443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:55.804894924 CET499458443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:55.805573940 CET499568443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:55.925173998 CET844349945172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:55.925231934 CET499458443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:55.925482988 CET844349956172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:55.925549030 CET499568443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:55.925822973 CET499568443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:56.045670986 CET844349956172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:57.146234035 CET844349956172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:57.146332026 CET499568443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:57.146836042 CET499568443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:57.147813082 CET499568443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:57.266809940 CET844349956172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:57.267723083 CET844349956172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:58.475217104 CET844349956172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:58.475322962 CET499568443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:58.586188078 CET499518443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:58.586756945 CET499638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:58.707041979 CET844349963172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:58.707236052 CET499638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:58.707346916 CET844349951172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:58.707442045 CET499518443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:58.708020926 CET499638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:58.828412056 CET844349963172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:59.841866016 CET844349963172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:59.841983080 CET499638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:59.842489958 CET499638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:59.843235970 CET499638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:55:59.962338924 CET844349963172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:55:59.963146925 CET844349963172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:01.142056942 CET844349963172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:01.142141104 CET499638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:01.258090973 CET499568443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:01.258630037 CET499708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:01.540056944 CET844349956172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:01.540070057 CET844349970172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:01.540169954 CET499568443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:01.540216923 CET499708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:01.540501118 CET499708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:01.660321951 CET844349970172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:02.673418999 CET844349970172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:02.673562050 CET499708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:02.674197912 CET499708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:02.675164938 CET499708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:02.794028997 CET844349970172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:02.794985056 CET844349970172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:04.010540009 CET844349970172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:04.010777950 CET499708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:04.117486954 CET499638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:04.118254900 CET499778443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:04.238147020 CET844349977172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:04.238267899 CET499778443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:04.238688946 CET499778443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:04.238970041 CET844349963172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:04.239031076 CET499638443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:04.358616114 CET844349977172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:05.420124054 CET844349977172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:05.420248032 CET499778443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:05.420742035 CET499778443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:05.421717882 CET499778443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:05.540548086 CET844349977172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:05.541798115 CET844349977172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:06.733696938 CET844349977172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:06.734105110 CET499778443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:06.853046894 CET499708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:06.853533983 CET499838443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:06.973273993 CET844349970172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:06.973418951 CET844349983172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:06.973505974 CET499708443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:06.973541021 CET499838443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:06.973970890 CET499838443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:07.093888998 CET844349983172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:08.110996008 CET844349983172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:08.114834070 CET499838443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:08.115271091 CET499838443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:08.116381884 CET499838443192.168.2.7172.67.175.230
                                          Nov 28, 2024 09:56:08.235264063 CET844349983172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:08.236386061 CET844349983172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:09.489054918 CET844349983172.67.175.230192.168.2.7
                                          Nov 28, 2024 09:56:09.489207983 CET499838443192.168.2.7172.67.175.230

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 28, 2024 09:54:03.780816078 CET6485753192.168.2.71.1.1.1
                                          Nov 28, 2024 09:54:04.282191992 CET53648571.1.1.1192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Nov 28, 2024 09:54:03.780816078 CET192.168.2.71.1.1.10xf133Standard query (0)632313373.xyzA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Nov 28, 2024 09:54:04.282191992 CET1.1.1.1192.168.2.70xf133No error (0)632313373.xyz172.67.175.230A (IP address)IN (0x0001)false
                                          Nov 28, 2024 09:54:04.282191992 CET1.1.1.1192.168.2.70xf133No error (0)632313373.xyz104.21.80.78A (IP address)IN (0x0001)false

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:03:54:02
                                          Start date:28/11/2024
                                          Path:C:\Users\user\Desktop\svchostinter.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\svchostinter.exe"
                                          Imagebase:0x400000
                                          File size:474'329 bytes
                                          MD5 hash:61F3C4028BB365ED68ECCB303B411043
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.2498548092.00000000005E9000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:2.1%
                                            Dynamic/Decrypted Code Coverage:38.6%
                                            Signature Coverage:9.1%
                                            Total number of Nodes:430
                                            Total number of Limit Nodes:28
                                            execution_graph 39204 40b6c0 39205 40b6e1 39204->39205 39206 40b6cb 39204->39206 39208 40b7b0 AddVectoredExceptionHandler 39205->39208 39209 40b6ea 39205->39209 39207 40b6d4 39206->39207 39210 40b790 RemoveVectoredExceptionHandler 39206->39210 39208->39207 39209->39207 39211 40b6fa TlsGetValue 39209->39211 39210->39207 39211->39207 39212 40b708 39211->39212 39213 40b7d0 39212->39213 39214 40b712 39212->39214 39215 40b870 39213->39215 39216 40b7e2 39213->39216 39217 40b722 39214->39217 39218 40b8c5 39214->39218 39220 40b875 CloseHandle 39215->39220 39221 40b87b 39215->39221 39222 40b7e7 CloseHandle 39216->39222 39223 40b7ed 39216->39223 39224 40b72b CloseHandle 39217->39224 39225 40b73f 39217->39225 39265 40b5b0 65 API calls 39218->39265 39220->39221 39262 40ab80 CloseHandle free 39221->39262 39222->39223 39229 40b8a0 39223->39229 39230 40b80f 39223->39230 39224->39225 39228 40b73d CloseHandle 39224->39228 39253 40ab80 CloseHandle free 39225->39253 39226 40b8ca 39226->39226 39228->39225 39263 40b5b0 65 API calls 39229->39263 39235 40b8b0 39230->39235 39236 40b821 39230->39236 39232 40b758 39254 40b2d0 39232->39254 39233 40b88c 39239 40b2d0 4 API calls 39233->39239 39264 40ab80 CloseHandle free 39235->39264 39240 40b830 CloseHandle 39236->39240 39241 40b836 39236->39241 39250 40b895 39239->39250 39240->39241 39261 40ab80 CloseHandle free 39241->39261 39243 40b8b8 39247 40b2d0 4 API calls 39243->39247 39244 40b846 39248 40b2d0 4 API calls 39244->39248 39245 40b85c TlsSetValue 39245->39207 39246 40b76f 39260 40afd0 12 API calls 39246->39260 39247->39250 39251 40b761 39248->39251 39250->39207 39251->39245 39251->39246 39253->39232 39255 40b2e2 39254->39255 39256 40b2ec 39254->39256 39255->39256 39257 40b2fe GetCurrentThreadId _ultoa 39255->39257 39256->39251 39258 40b343 OutputDebugStringA abort 39257->39258 39261->39244 39262->39233 39263->39230 39264->39243 39265->39226 39266 408df0 39277 408990 6 API calls 39266->39277 39276 408e14 39278 408a02 39277->39278 39327 40a390 39278->39327 39280 408a0e 39281 408a25 39280->39281 39282 40a390 51 API calls 39280->39282 39286 408a30 39281->39286 39283 408a1f 39282->39283 39283->39281 39356 408890 95 API calls 39283->39356 39287 408a4f 39286->39287 39290 408a5f 39287->39290 39452 407910 7 API calls 39287->39452 39447 407ae0 GetProcAddress 39290->39447 39292 407ae0 3 API calls 39293 408a88 39292->39293 39294 407ae0 3 API calls 39293->39294 39295 408aa2 39294->39295 39296 407ae0 3 API calls 39295->39296 39297 408abc 39296->39297 39298 407ae0 3 API calls 39297->39298 39299 408ad6 39298->39299 39300 407ae0 3 API calls 39299->39300 39301 408af0 39300->39301 39302 407ae0 3 API calls 39301->39302 39303 408b0a 39302->39303 39304 402720 39303->39304 39305 402732 _fileno _setmode 39304->39305 39306 402755 _fileno _setmode 39305->39306 39307 40276a _fileno _setmode 39306->39307 39308 408950 39307->39308 39309 40a390 51 API calls 39308->39309 39310 408960 39309->39310 39311 408977 39310->39311 39312 40a390 51 API calls 39310->39312 39316 408bf0 39311->39316 39313 408971 39312->39313 39313->39311 39454 408890 95 API calls 39313->39454 39317 408bfe 39316->39317 39318 408c28 VirtualAllocEx memset 39317->39318 39319 408c82 39318->39319 39319->39319 39320 408cb2 memcpy 39319->39320 39321 40a390 51 API calls 39320->39321 39322 408cd4 39321->39322 39323 408cdd WriteProcessMemory VirtualProtect 39322->39323 39325 408d63 39322->39325 39324 408d2e CreateThread 39323->39324 39323->39325 39324->39325 39326 408950 95 API calls 39325->39326 39326->39276 39328 40a3e3 39327->39328 39329 40a3a6 39327->39329 39357 40bc40 39328->39357 39379 40bfe0 36 API calls 39329->39379 39332 40a3b1 39334 40a420 calloc 39332->39334 39335 40a3b9 39332->39335 39333 40a3f6 39380 40a750 39333->39380 39340 40a552 abort 39334->39340 39341 40a43e 39334->39341 39337 40a4b0 realloc 39335->39337 39338 40a3c5 39335->39338 39337->39340 39344 40a4d8 memset 39337->39344 39342 40a44f 39338->39342 39343 40a3d5 39338->39343 39339 40a402 39345 40a520 39339->39345 39397 40a9f0 39339->39397 39354 40a565 39340->39354 39407 40c050 40 API calls 39341->39407 39342->39338 39347 40a505 malloc 39342->39347 39348 40a465 malloc 39342->39348 39343->39280 39408 40c050 40 API calls 39344->39408 39352 40a540 memset 39345->39352 39347->39340 39351 40a478 39347->39351 39348->39340 39348->39351 39351->39352 39355 40a497 memcpy 39351->39355 39352->39343 39354->39280 39355->39343 39358 40bcc2 39357->39358 39359 40bc57 39357->39359 39358->39333 39360 40bc93 39359->39360 39409 40acf0 39359->39409 39360->39333 39362 40bc61 39363 40a750 7 API calls 39362->39363 39364 40bc70 39363->39364 39365 40bcd2 39364->39365 39366 40bc78 39364->39366 39413 40b420 39365->39413 39367 40bca0 fprintf 39366->39367 39378 40bc7e 39366->39378 39367->39378 39369 40a9f0 3 API calls 39371 40bc86 39369->39371 39370 40bce8 39373 40bd30 39370->39373 39374 40b420 34 API calls 39370->39374 39371->39360 39427 40b120 CloseHandle free free 39371->39427 39375 40bcfe 39374->39375 39375->39373 39377 40b420 34 API calls 39375->39377 39377->39378 39378->39369 39378->39373 39379->39332 39381 40a790 39380->39381 39382 40a765 39380->39382 39445 40a6e0 malloc 39381->39445 39383 40a772 39382->39383 39388 40a800 GetCurrentThreadId 39382->39388 39389 40a7b7 39382->39389 39385 40a784 GetCurrentThreadId 39383->39385 39386 40a779 39383->39386 39385->39386 39386->39339 39387 40a798 39387->39382 39392 40a7a5 39387->39392 39388->39386 39388->39389 39390 40a830 CreateEventA 39389->39390 39391 40a7be 39389->39391 39393 40a861 GetLastError 39390->39393 39394 40a848 39390->39394 39391->39383 39395 40a7d7 WaitForSingleObject 39391->39395 39392->39339 39393->39386 39394->39391 39396 40a856 CloseHandle 39394->39396 39395->39386 39395->39391 39396->39391 39398 40aa20 39397->39398 39399 40aa02 39397->39399 39446 40a6e0 malloc 39398->39446 39400 40aa0b 39399->39400 39403 40aa16 39399->39403 39405 40aa4b GetCurrentThreadId 39399->39405 39402 40aa80 SetEvent 39400->39402 39400->39403 39402->39403 39403->39329 39404 40aa25 39404->39399 39406 40aa32 39404->39406 39405->39400 39405->39403 39406->39329 39407->39342 39408->39338 39410 40ad06 39409->39410 39411 40ad31 calloc 39410->39411 39412 40ad17 39410->39412 39411->39412 39412->39362 39414 40b431 39413->39414 39415 40b436 TlsGetValue 39413->39415 39442 40b390 16 API calls 39414->39442 39417 40b460 39415->39417 39418 40b44a 39415->39418 39428 40b210 39417->39428 39418->39370 39421 40b477 GetCurrentThreadId CreateEventA 39422 40b2d0 4 API calls 39421->39422 39423 40b4af GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 39422->39423 39424 40b550 abort 39423->39424 39425 40b507 GetThreadPriority TlsSetValue 39423->39425 39425->39424 39426 40b541 39425->39426 39426->39370 39429 40a750 7 API calls 39428->39429 39430 40b221 39429->39430 39431 40b280 calloc 39430->39431 39432 40b22d 39430->39432 39433 40b297 39431->39433 39434 40b25f 39431->39434 39443 40ae40 memcpy malloc 39432->39443 39444 40ae40 memcpy malloc 39433->39444 39436 40a9f0 3 API calls 39434->39436 39438 40b26b 39436->39438 39438->39418 39438->39421 39439 40b29f 39440 40b2c0 free 39439->39440 39441 40b235 39439->39441 39440->39434 39441->39434 39442->39415 39443->39441 39444->39439 39445->39387 39446->39404 39448 407b05 39447->39448 39449 407b17 39447->39449 39448->39292 39449->39448 39449->39449 39450 407be5 39449->39450 39453 407a80 exit GetProcAddress 39450->39453 39453->39449 39455 4014b0 39460 408f40 39455->39460 39457 4014c6 39464 401180 39457->39464 39459 4014cb 39461 408f80 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 39460->39461 39462 408f69 39460->39462 39463 408fdb 39461->39463 39462->39457 39463->39457 39465 401470 GetStartupInfoA 39464->39465 39466 4011b4 39464->39466 39480 4013f0 39465->39480 39467 4011dc Sleep 39466->39467 39468 4011f1 39466->39468 39467->39466 39469 401224 39468->39469 39470 40143c _initterm 39468->39470 39468->39480 39482 409540 39469->39482 39470->39469 39472 40124c SetUnhandledExceptionFilter 39512 4099a0 39472->39512 39474 401315 malloc 39476 40133c 39474->39476 39479 401387 39474->39479 39475 401268 39475->39474 39477 401350 strlen malloc memcpy 39476->39477 39477->39477 39478 401382 39477->39478 39478->39479 39479->39480 39481 4013e5 _cexit 39479->39481 39480->39459 39481->39480 39483 409562 39482->39483 39484 409573 39482->39484 39483->39472 39484->39483 39485 4095e0 39484->39485 39489 4096b3 39484->39489 39485->39483 39488 4095e9 39485->39488 39486 4097da 39492 409870 39486->39492 39493 40980d 39486->39493 39491 409637 39488->39491 39518 409370 11 API calls 39488->39518 39489->39483 39489->39486 39490 4096fa 39489->39490 39489->39491 39490->39489 39501 409370 11 API calls 39490->39501 39519 409370 11 API calls 39490->39519 39491->39483 39503 409662 VirtualProtect 39491->39503 39494 409930 39492->39494 39495 40987b 39492->39495 39496 409814 39493->39496 39497 40988f signal 39493->39497 39500 4098a1 39494->39500 39507 409946 signal 39494->39507 39498 40987d 39495->39498 39504 4098b4 39495->39504 39496->39500 39496->39504 39505 409825 39496->39505 39499 409910 signal 39497->39499 39497->39500 39498->39497 39498->39500 39499->39500 39500->39472 39501->39490 39503->39491 39504->39500 39506 4098c2 signal 39504->39506 39505->39500 39509 40983b signal 39505->39509 39508 409960 signal 39506->39508 39511 409851 39506->39511 39507->39511 39508->39511 39510 409980 signal 39509->39510 39509->39511 39510->39511 39511->39472 39514 4099af 39512->39514 39513 4099dc 39513->39475 39514->39513 39520 409f80 strncmp 39514->39520 39516 4099d7 39516->39513 39517 409a70 RtlAddFunctionTable 39516->39517 39517->39513 39518->39488 39519->39489 39520->39516 39521 23188d4 39522 2318961 39521->39522 39527 2319324 39522->39527 39524 2318a01 39531 23196b4 39524->39531 39526 2318a8f 39530 231935e 39527->39530 39528 2319455 VirtualAlloc 39529 2319479 39528->39529 39529->39524 39530->39528 39530->39529 39534 2319723 39531->39534 39532 231994f 39532->39526 39533 231976e LoadLibraryA 39533->39534 39534->39532 39534->39533 39535 2571b48 39537 2571b64 _DllMainCRTStartup 39535->39537 39536 2571bf4 39546 2571bbe 39536->39546 39548 25693e0 39536->39548 39537->39536 39537->39546 39547 25719e8 RtlFreeHeap 12 library calls 39537->39547 39539 2571c12 39540 2571c3b 39539->39540 39542 25693e0 _DllMainCRTStartup 12 API calls 39539->39542 39540->39546 39555 25719e8 RtlFreeHeap 12 library calls 39540->39555 39544 2571c2e 39542->39544 39554 25719e8 RtlFreeHeap 12 library calls 39544->39554 39547->39536 39549 25694bb 39548->39549 39553 2569402 _DllMainCRTStartup 39548->39553 39608 256b47c 39549->39608 39551 2569407 _DllMainCRTStartup 39551->39539 39553->39551 39556 255ca74 39553->39556 39554->39540 39555->39546 39620 2565fec 39556->39620 39558 255ca92 _DllMainCRTStartup 39627 256f284 39558->39627 39560 255cb40 39638 256c230 39560->39638 39566 255cbb5 39567 256eaa8 _DllMainCRTStartup RtlFreeHeap 39566->39567 39568 255cbcf _DllMainCRTStartup 39567->39568 39570 255cbdd _DllMainCRTStartup 39568->39570 39687 256da74 RtlFreeHeap _DllMainCRTStartup 39568->39687 39571 255cbf9 39570->39571 39688 256da74 RtlFreeHeap _DllMainCRTStartup 39570->39688 39661 255f1f8 39571->39661 39575 255cc0e 39667 255f274 39575->39667 39580 255cc1c 39581 256f284 malloc RtlFreeHeap 39580->39581 39582 255cc4f 39581->39582 39583 255cc5c 39582->39583 39691 256da74 RtlFreeHeap _DllMainCRTStartup 39582->39691 39585 256eaa8 _DllMainCRTStartup RtlFreeHeap 39583->39585 39586 255cc78 39585->39586 39677 2565c60 39586->39677 39609 2565fec _DllMainCRTStartup RtlFreeHeap 39608->39609 39610 256b4a0 _DllMainCRTStartup fread_s 39609->39610 39611 256f284 malloc RtlFreeHeap 39610->39611 39612 256b52d fread_s 39611->39612 39613 256eaa8 _DllMainCRTStartup RtlFreeHeap 39612->39613 39614 256b55e _DllMainCRTStartup 39613->39614 39618 256b575 _setmbcp _DllMainCRTStartup 39614->39618 39754 255f014 39614->39754 39616 256b802 _DllMainCRTStartup fread_s 39616->39551 39617 256f284 malloc RtlFreeHeap 39617->39618 39618->39616 39618->39617 39619 256eaa8 _DllMainCRTStartup RtlFreeHeap 39618->39619 39619->39618 39621 256f284 malloc RtlFreeHeap 39620->39621 39622 256600d 39621->39622 39623 256f284 malloc RtlFreeHeap 39622->39623 39626 2566015 _DllMainCRTStartup fread_s 39622->39626 39624 2566021 39623->39624 39624->39626 39692 256f244 39624->39692 39626->39558 39628 256f318 _callnewh 39627->39628 39634 256f29c _callnewh _mtinitlocknum 39627->39634 39699 2571d18 RtlFreeHeap _getptd_noexit 39628->39699 39632 256f2fd 39697 2571d18 RtlFreeHeap _getptd_noexit 39632->39697 39634->39632 39635 256f302 39634->39635 39637 256f30d 39634->39637 39695 2571df0 RtlFreeHeap _NMSG_WRITE _set_error_mode 39634->39695 39696 2571e64 RtlFreeHeap 6 library calls 39634->39696 39698 2571d18 RtlFreeHeap _getptd_noexit 39635->39698 39637->39560 39639 256c259 _DllMainCRTStartup 39638->39639 39700 257044c 39639->39700 39642 256f284 malloc RtlFreeHeap 39644 256c2a1 _setmbcp fread_s 39642->39644 39645 256c30a 39644->39645 39703 257181c 39644->39703 39646 257181c _DllMainCRTStartup RtlFreeHeap 39645->39646 39647 255cb87 39646->39647 39648 25634a0 39647->39648 39649 25634b3 _DllMainCRTStartup 39648->39649 39650 257044c _DllMainCRTStartup RtlFreeHeap 39649->39650 39651 25634bb 39650->39651 39720 2562f5c 39651->39720 39654 256eaa8 39655 256eae7 39654->39655 39660 256eafd fread_s 39654->39660 39656 256eaf3 39655->39656 39657 256eaff 39655->39657 39658 256f284 malloc RtlFreeHeap 39656->39658 39725 2571914 RtlFreeHeap _callnewh _errno free malloc realloc 39657->39725 39658->39660 39660->39566 39663 255f20e 39661->39663 39662 255cc05 39662->39575 39689 256da74 RtlFreeHeap _DllMainCRTStartup 39662->39689 39663->39662 39726 256a8dc RtlFreeHeap _DllMainCRTStartup 39663->39726 39665 255f248 39727 256a914 RtlFreeHeap _snprintf _DllMainCRTStartup 39665->39727 39669 255f299 39667->39669 39668 255cc13 39668->39580 39690 256da74 RtlFreeHeap _DllMainCRTStartup 39668->39690 39669->39668 39670 256f284 malloc RtlFreeHeap 39669->39670 39671 255f315 _setmbcp _DllMainCRTStartup 39670->39671 39672 255f36b fread_s 39671->39672 39728 256a8dc RtlFreeHeap _DllMainCRTStartup 39671->39728 39676 256f244 free RtlFreeHeap 39672->39676 39674 255f34c 39729 256a914 RtlFreeHeap _snprintf _DllMainCRTStartup 39674->39729 39676->39668 39678 2565c7e _DllMainCRTStartup 39677->39678 39730 256b0b4 RtlFreeHeap _DllMainCRTStartup 39678->39730 39680 2565ca8 39681 257044c _DllMainCRTStartup RtlFreeHeap 39680->39681 39682 2565cbf _DllMainCRTStartup 39681->39682 39731 2565e28 39682->39731 39684 2565d94 _setmbcp _DllMainCRTStartup fread_s 39740 256abcc RtlFreeHeap _setmbcp _DllMainCRTStartup 39684->39740 39686 2565df5 39693 256f249 RtlFreeHeap 39692->39693 39694 256f264 _errno realloc 39692->39694 39693->39694 39694->39626 39695->39634 39696->39634 39697->39635 39698->39637 39699->39637 39706 2575844 39700->39706 39702 256c261 39702->39642 39704 2575844 _getptd RtlFreeHeap 39703->39704 39705 2571840 _setmbcp_nolock _DllMainCRTStartup 39704->39705 39705->39644 39709 2575868 39706->39709 39708 257584f 39708->39702 39711 2575878 _freeptd 39709->39711 39710 25758be 39710->39708 39711->39710 39718 2574728 RtlFreeHeap _calloc_impl 39711->39718 39713 257589a _mtinit 39713->39710 39714 25758b7 39713->39714 39715 25758cd 39713->39715 39719 25758ec RtlFreeHeap _locterm _lock __addlocaleref 39714->39719 39717 256f244 free RtlFreeHeap 39715->39717 39717->39710 39718->39713 39719->39710 39721 2562f87 _DllMainCRTStartup 39720->39721 39722 255cb94 39720->39722 39721->39722 39723 256f284 malloc RtlFreeHeap 39721->39723 39724 256eaa8 _DllMainCRTStartup RtlFreeHeap 39721->39724 39722->39654 39723->39721 39724->39721 39725->39660 39726->39665 39727->39662 39728->39674 39729->39672 39730->39680 39732 2565fec _DllMainCRTStartup RtlFreeHeap 39731->39732 39733 2565e51 _DllMainCRTStartup 39732->39733 39734 2565e9f GetUserNameA 39733->39734 39735 2565ec8 39734->39735 39741 255f008 WSASocketA WSAIoctl closesocket _DllMainCRTStartup 39735->39741 39737 2565ecd strrchr _DllMainCRTStartup 39742 256f63c 39737->39742 39739 2565fa0 _DllMainCRTStartup 39739->39684 39740->39686 39741->39737 39745 256f66e fread_s 39742->39745 39743 256f673 39751 2571d18 RtlFreeHeap _getptd_noexit 39743->39751 39744 256f692 39752 2572528 RtlFreeHeap 12 library calls 39744->39752 39745->39743 39745->39744 39748 256f6c2 39749 256f678 _invalid_parameter_noinfo 39748->39749 39753 257239c RtlFreeHeap 7 library calls 39748->39753 39749->39739 39751->39749 39752->39748 39753->39749 39761 255f118 39754->39761 39756 255f02f WSASocketA 39757 255f051 39756->39757 39758 255f058 WSAIoctl 39756->39758 39757->39618 39760 255f099 closesocket 39758->39760 39760->39757 39762 255f12c 39761->39762 39762->39756

                                            Executed Functions

                                            Function 00408BF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 93memorythreadinjectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: Virtual$AllocCreateMemoryProcessProtectThreadWritememcpymemset
                                            • String ID: H`$mE4kqO
                                            • API String ID: 3644383868-3654040606
                                            • Opcode ID: 6c35c4c5ada221d234b817fabaf15d9911ba988956b9acc0885e402b2b6c1c8f
                                            • Instruction ID: cac0480153a59e5539352c914c10efc6add790a6aff8883ae4d28b51f5392410
                                            • Opcode Fuzzy Hash: 6c35c4c5ada221d234b817fabaf15d9911ba988956b9acc0885e402b2b6c1c8f
                                            • Instruction Fuzzy Hash: 063140B1314B488ADB60DB26EC5435A77A1B789FC5F44412ADE4E47BA5EF3CC505C708
                                            Function 00401180 Relevance: 13.7, APIs: 9, Instructions: 189sleepstringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 28 401180-4011ae 29 401470-401473 GetStartupInfoA 28->29 30 4011b4-4011d1 28->30 34 401480-401499 call 40a620 29->34 31 4011e4-4011ef 30->31 32 4011f1-4011ff 31->32 33 4011d3-4011d6 31->33 35 401205-401209 32->35 36 401427-401436 call 40a638 32->36 38 401410-401421 33->38 39 4011dc-4011e1 Sleep 33->39 48 40149e-4014a6 call 40a5f8 34->48 35->34 41 40120f-40121e 35->41 44 401224-401226 36->44 45 40143c-401457 _initterm 36->45 38->35 38->36 39->31 41->44 41->45 46 40122c-401239 44->46 47 40145d-401462 44->47 45->46 45->47 49 401247-401294 call 409540 SetUnhandledExceptionFilter call 4099a0 call 40a6a0 call 409340 call 40a6b0 46->49 50 40123b-401243 46->50 47->46 63 4012b2-4012b8 49->63 64 401296 49->64 50->49 66 4012a0-4012a2 63->66 67 4012ba-4012c8 63->67 65 4012f7-4012fd 64->65 71 401315-40133a malloc 65->71 72 4012ff-401309 65->72 68 4012d0-4012d2 66->68 69 4012a4-4012a7 66->69 70 4012ae 67->70 78 4012d4 68->78 79 4012e5-4012ee 68->79 69->68 77 4012a9 69->77 70->63 75 401387-4013c2 call 408f00 call 40f3b0 71->75 76 40133c-401349 71->76 73 401400-401405 72->73 74 40130f 72->74 73->74 74->71 87 4013c7-4013d5 75->87 80 401350-401380 strlen malloc memcpy 76->80 77->70 82 4012f0 78->82 79->82 83 4012e0-4012e3 79->83 80->80 84 401382 80->84 82->65 83->79 83->82 84->75 87->48 88 4013db-4013e3 87->88 89 4013f0-4013ff 88->89 90 4013e5-4013ea _cexit 88->90 90->89
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled_cexitmemcpystrlen
                                            • String ID:
                                            • API String ID: 1640792405-0
                                            • Opcode ID: 5254e45e087a85d100be62b4d3bab9730fdab91b635e9821cef48185a4e82a6f
                                            • Instruction ID: 9a2f2e1b2e0b8451fe5b4773d30a19c68a0ff2cb1ea9d3261401347fc2407868
                                            • Opcode Fuzzy Hash: 5254e45e087a85d100be62b4d3bab9730fdab91b635e9821cef48185a4e82a6f
                                            • Instruction Fuzzy Hash: D371AFB1300B4486EB249F56E89076A33A1B745B89F88803BDF49A77E2DF3DC845C709
                                            Function 02565E28 Relevance: 4.7, APIs: 3, Instructions: 190stringCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 02565FEC: malloc.LIBCMT ref: 02566008
                                            • GetUserNameA.ADVAPI32(?,?,?,?,?,?,?,-00000001,?,-00000001,?,00000002,0255CC89), ref: 02565EAF
                                            • strrchr.LIBCMT ref: 02565EED
                                            • _snprintf.LIBCMT ref: 02565F9B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: NameUser_snprintfmallocstrrchr
                                            • String ID:
                                            • API String ID: 1238167203-0
                                            • Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                                            • Instruction ID: 5de6b090cc77b5ba0bd35e2abd297c0a0c48329da9cf75467490d157f5f17777
                                            • Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                                            • Instruction Fuzzy Hash: AA41613071CA090FEB58AB6CE45567976D3FBC9310B54452EE48FC3395DE38D9428B4A
                                            Function 0040B420 Relevance: 15.1, APIs: 10, Instructions: 80COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 2339723d0187d3eabc9d45bce590a14953fbf5ae0df4cc1581a2d70476cff4e5
                                            • Instruction ID: 0e5cfb8bbf21bf0993194779b11267c09d46698be9769d74b1dd0315f579f4f8
                                            • Opcode Fuzzy Hash: 2339723d0187d3eabc9d45bce590a14953fbf5ae0df4cc1581a2d70476cff4e5
                                            • Instruction Fuzzy Hash: 86316DB26017448BEB209B21E80875B76A0F745BA9F080229DF9E477E1EF3DD085C759
                                            Function 0040B6C0 Relevance: 13.6, APIs: 9, Instructions: 111COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 91 40b6c0-40b6c9 92 40b6e1-40b6e4 91->92 93 40b6cb-40b6ce 91->93 96 40b7b0-40b7c9 AddVectoredExceptionHandler 92->96 97 40b6ea-40b6ed 92->97 94 40b780-40b78a 93->94 95 40b6d4-40b6e0 93->95 94->95 99 40b790-40b7a1 RemoveVectoredExceptionHandler 94->99 96->95 97->95 98 40b6ef-40b6f8 97->98 98->95 100 40b6fa-40b706 TlsGetValue 98->100 99->95 100->95 101 40b708-40b70c 100->101 102 40b7d0-40b7dc 101->102 103 40b712-40b71c 101->103 104 40b870-40b873 102->104 105 40b7e2-40b7e5 102->105 106 40b722-40b729 103->106 107 40b8c5 call 40b5b0 103->107 109 40b875 CloseHandle 104->109 110 40b87b-40b895 call 40ab80 call 40b2d0 104->110 111 40b7e7 CloseHandle 105->111 112 40b7ed-40b809 105->112 113 40b72b-40b73b CloseHandle 106->113 114 40b74f-40b769 call 40ab80 call 40b2d0 106->114 115 40b8ca 107->115 109->110 110->95 111->112 119 40b8a0-40b8a5 call 40b5b0 112->119 120 40b80f-40b81b 112->120 117 40b73d CloseHandle 113->117 118 40b73f-40b747 113->118 138 40b85c-40b86a TlsSetValue 114->138 139 40b76f-40b777 call 40afd0 114->139 115->115 117->118 118->114 119->120 125 40b8b0-40b8c0 call 40ab80 call 40b2d0 120->125 126 40b821-40b82e 120->126 125->95 131 40b830 CloseHandle 126->131 132 40b836-40b856 call 40ab80 call 40b2d0 126->132 131->132 132->138 132->139 138->95 139->138
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CloseHandleValue$ExceptionHandlerRemoveVectored
                                            • String ID:
                                            • API String ID: 2941551293-0
                                            • Opcode ID: 12305fd87e03c33788ad1de6dcfd4ff577b8c7d8d3cfc7a1d05ba0b34cfaa2d1
                                            • Instruction ID: 838aa30564aa730e25aa4d64eb7e2ecad8494aa8bb4ae8f820d1130e2e8d005c
                                            • Opcode Fuzzy Hash: 12305fd87e03c33788ad1de6dcfd4ff577b8c7d8d3cfc7a1d05ba0b34cfaa2d1
                                            • Instruction Fuzzy Hash: C3411B61602B0486EB15AF21D86436A3365EB94B58F04413BDE0A673E5EF3D8889C3DF
                                            Function 0040A390 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 146 40a390-40a3a4 147 40a3e3-40a3f1 call 40bc40 146->147 148 40a3a6-40a3b7 call 40bfe0 146->148 152 40a3f6-40a409 call 40a750 147->152 153 40a420-40a438 calloc 148->153 154 40a3b9-40a3bf 148->154 166 40a520-40a532 152->166 167 40a40f-40a41b call 40a9f0 152->167 159 40a552-40a563 abort 153->159 160 40a43e-40a44f call 40c050 153->160 156 40a4b0-40a4d6 realloc 154->156 157 40a3c5-40a3cf 154->157 156->159 165 40a4d8-40a500 memset call 40c050 156->165 163 40a454-40a45f 157->163 164 40a3d5-40a3e2 157->164 161 40a570-40a574 159->161 162 40a565-40a568 159->162 160->157 172 40a576 161->172 173 40a57a-40a57d 161->173 162->161 170 40a505-40a511 malloc 163->170 171 40a465-40a472 malloc 163->171 165->157 182 40a540-40a54d memset 166->182 167->148 170->159 180 40a513-40a51a 170->180 171->159 176 40a478-40a483 171->176 172->173 177 40a584 173->177 178 40a57f-40a582 173->178 184 40a487-40a491 176->184 178->177 185 40a585-40a589 178->185 180->184 183 40a4a2-40a4a5 182->183 183->164 184->182 186 40a497-40a49f memcpy 184->186 186->183
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c4fc4c249f238666dcf3385c487c1139e4bb994c72b2bcde03ce0aaa01f58539
                                            • Instruction ID: 8fbd67ef3856b77e9e6fdc80194cadf88c811a842c6d7b08799867114ed892b6
                                            • Opcode Fuzzy Hash: c4fc4c249f238666dcf3385c487c1139e4bb994c72b2bcde03ce0aaa01f58539
                                            • Instruction Fuzzy Hash: 5F418272602B00A5DA15EF25DC407A93365F744B88F98843B9E4D27795EF3CD966C30A
                                            Function 00408990 Relevance: 9.0, APIs: 6, Instructions: 32COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: signal$CriticalInitializeSection
                                            • String ID:
                                            • API String ID: 2323668733-0
                                            • Opcode ID: e2f8b48443e089b7d13c6f23e508881f49eb37b6aa7650f48109c74ef5e911f0
                                            • Instruction ID: 2d1d7027c2084158cf9b4c4f3212c8e2d908e6663a49682bb10b384cca9fa99b
                                            • Opcode Fuzzy Hash: e2f8b48443e089b7d13c6f23e508881f49eb37b6aa7650f48109c74ef5e911f0
                                            • Instruction Fuzzy Hash: 4101F4A0711701B1EB09FB25DC513A82311B794344FD0543BD74D626E5AFBC89AAC31F
                                            Function 0255CA74 Relevance: 7.9, APIs: 6, Instructions: 411COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 199 255ca74-255cbd6 call 2565fec call 25661e8 * 3 call 256b454 call 256b464 * 2 call 256b434 * 2 call 256b454 * 2 call 256f284 call 256b434 * 3 call 256b464 call 256c230 call 25634a0 call 256eaa8 * 2 call 255f3c0 242 255cbdd-255cbf2 call 256b434 call 255f1e4 199->242 243 255cbd8 call 256da74 199->243 249 255cbf4 call 256da74 242->249 250 255cbf9-255cc07 call 255f1f8 242->250 243->242 249->250 254 255cc0e-255cc15 call 255f274 250->254 255 255cc09 call 256da74 250->255 259 255cc17 call 256da74 254->259 260 255cc1c-255cc55 call 256b464 call 256b434 call 256f284 254->260 255->254 259->260 268 255cc57 call 256da74 260->268 269 255cc5c-255cc90 call 256b434 call 256eaa8 call 256b434 call 2565c60 260->269 268->269 279 255cc96-255cc9e 269->279 280 255cebb-255cee7 call 256c218 call 256f244 call 256da74 269->280 282 255cca2-255cd24 call 256bfc0 call 256f63c call 256bfc0 call 256f63c * 2 call 2562ee0 279->282 300 255cd44-255cd77 call 255ea48 call 256b434 call 255e9f4 282->300 301 255cd26-255cd2b 282->301 312 255cd9c-255cd9f 300->312 313 255cd79-255cd87 call 256ad44 300->313 303 255cd2e-255cd35 301->303 303->303 305 255cd37-255cd3a 303->305 305->300 307 255cd3c-255cd3f call 25631f4 305->307 307->300 315 255cda5-255cdc8 call 2566b98 call 256b434 312->315 316 255ce26-255ce27 312->316 321 255cd95-255cd99 313->321 322 255cd89-255cd93 call 2568e0c 313->322 330 255cdcf-255cdf0 call 25618c4 call 2565144 call 2564a04 call 255f3c0 315->330 331 255cdca 315->331 318 255ce2c-255ce38 call 255e9c8 call 255f3c0 316->318 334 255ce3f-255ce5d call 256bf04 318->334 335 255ce3a call 256da74 318->335 321->312 322->312 360 255cdf2-255cdf5 call 255f484 330->360 361 255cdfa-255ce01 330->361 331->330 341 255ce64-255ce6c 334->341 342 255ce5f call 256da74 334->342 335->334 341->280 345 255ce6e-255ce76 341->345 342->341 347 255cea4 call 256211c 345->347 348 255ce78-255ce89 345->348 357 255cea9-255ceb5 347->357 350 255ce9c 348->350 351 255ce8b-255ce9a call 255f3a0 348->351 355 255ce9e-255cea0 350->355 351->355 355->347 359 255cea2 355->359 357->280 357->282 359->347 360->361 361->318 362 255ce03-255ce24 call 255e9c8 call 255ea48 call 255ec04 361->362 362->318
                                            APIs
                                              • Part of subcall function 02565FEC: malloc.LIBCMT ref: 02566008
                                            • malloc.LIBCMT ref: 0255CB3B
                                              • Part of subcall function 0256F284: _FF_MSGBANNER.LIBCMT ref: 0256F2B4
                                              • Part of subcall function 0256F284: _NMSG_WRITE.LIBCMT ref: 0256F2BE
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F2F2
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F2FD
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F308
                                              • Part of subcall function 0256C230: malloc.LIBCMT ref: 0256C29C
                                              • Part of subcall function 0256EAA8: malloc.LIBCMT ref: 0256EAF8
                                              • Part of subcall function 0256EAA8: realloc.LIBCMT ref: 0256EB07
                                            • malloc.LIBCMT ref: 0255CC4A
                                            • _snprintf.LIBCMT ref: 0255CCC1
                                            • _snprintf.LIBCMT ref: 0255CCE7
                                            • _snprintf.LIBCMT ref: 0255CD0E
                                            • free.LIBCMT ref: 0255CEC6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc$_snprintf$_errno$_callnewhfreerealloc
                                            • String ID:
                                            • API String ID: 74200508-0
                                            • Opcode ID: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
                                            • Instruction ID: 2509dfb4256131282d92bc2d0d7fe59381bef826010fca59d5f1056a240ff806
                                            • Opcode Fuzzy Hash: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
                                            • Instruction Fuzzy Hash: 5FC1E330718B564BDB58BB78C8A927D72D3FBD8305F50052E984BC3691EF34D9068B8A
                                            Function 0255E68C Relevance: 7.8, APIs: 5, Instructions: 260networkCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 370 255e68c-255e75a call 256f530 * 2 call 25683d0 call 256f63c call 256b454 call 2567b38 383 255e790-255e79a 370->383 384 255e75c-255e78b call 2562d70 call 2562c0c 370->384 386 255e79c-255e7a3 383->386 384->383 386->386 388 255e7a5-255e7b0 386->388 390 255e7c4-255e7d4 call 256f63c 388->390 391 255e7b2-255e7c2 call 256f63c 388->391 395 255e7d9-255e82f call 256b454 call 255e918 390->395 391->395 401 255e831-255e838 395->401 401->401 402 255e83a-255e868 call 25683c4 call 255efbc 401->402 408 255e895-255e89e InternetCloseHandle 402->408 409 255e86a-255e882 InternetQueryDataAvailable 402->409 410 255e8a0-255e8bb 408->410 409->408 411 255e884-255e88d 409->411 411->408 412 255e88f-255e891 411->412 413 255e893 412->413 414 255e8bc-255e8bf 412->414 413->408 414->408 415 255e8c1-255e8dc 414->415 417 255e8ed-255e8f0 415->417 418 255e8de-255e8e4 415->418 417->408 420 255e8f2-255e916 call 256b454 call 256846c 417->420 418->417 419 255e8e6-255e8eb 418->419 419->415 419->417 420->410
                                            APIs
                                            • _snprintf.LIBCMT ref: 0255E725
                                              • Part of subcall function 0256F63C: _errno.LIBCMT ref: 0256F673
                                              • Part of subcall function 0256F63C: _invalid_parameter_noinfo.LIBCMT ref: 0256F67E
                                            • _snprintf.LIBCMT ref: 0255E7BD
                                            • _snprintf.LIBCMT ref: 0255E7D4
                                            • InternetQueryDataAvailable.WININET ref: 0255E87A
                                            • InternetCloseHandle.WININET ref: 0255E898
                                              • Part of subcall function 02562D70: strchr.LIBCMT ref: 02562DD6
                                              • Part of subcall function 02562D70: _snprintf.LIBCMT ref: 02562E0C
                                              • Part of subcall function 02562C0C: strchr.LIBCMT ref: 02562C69
                                              • Part of subcall function 02562C0C: _snprintf.LIBCMT ref: 02562CB3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$Internetstrchr$AvailableCloseDataHandleQuery_errno_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1135463719-0
                                            • Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                                            • Instruction ID: 19c3d3be73e868561ecdd00b260ff474b4ccb85b00c007989321abd7d733806c
                                            • Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                                            • Instruction Fuzzy Hash: 7581D931618A588FDB14EF18D89567AB7E6FBD4315F00052EE88BC3150DF74DA06CB85
                                            Function 0255F014 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103networkCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 426 255f014-255f04f call 255f118 WSASocketA 429 255f051-255f053 426->429 430 255f058-255f097 WSAIoctl 426->430 431 255f0f6-255f10a 429->431 432 255f0b4-255f0be 430->432 433 255f099-255f0b1 430->433 434 255f0c0-255f0c1 432->434 435 255f0eb-255f0f4 closesocket 432->435 433->432 436 255f0c5-255f0cf 434->436 435->431 437 255f0d6-255f0e2 436->437 438 255f0d1-255f0d4 436->438 437->435 440 255f0e4 437->440 438->437 439 255f0e6-255f0e7 438->439 439->435 440->436
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: IoctlSocketclosesocket
                                            • String ID: _Cy
                                            • API String ID: 3445158922-1085951347
                                            • Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                                            • Instruction ID: 59ec6e9f4d9e0422959774372c0dd4fb67c39660a833249d4352c887779b065b
                                            • Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                                            • Instruction Fuzzy Hash: 7431E33060CA584BCB54EF28989877ABBE1FBE9315F140A3FE88EC3261DB34C5428745
                                            Function 0040BC40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 487 40bc40-40bc55 488 40bcc2-40bcd1 487->488 489 40bc57-40bc5a 487->489 490 40bc93-40bc9f 489->490 491 40bc5c-40bc76 call 40acf0 call 40a750 489->491 496 40bcd2-40bce3 call 40b420 491->496 497 40bc78-40bc7c 491->497 502 40bce8-40bceb 496->502 498 40bca0-40bcc0 fprintf 497->498 499 40bc7e-40bc89 call 40a9f0 497->499 498->499 499->490 507 40bc8b-40bc8e call 40b120 499->507 505 40bd30-40bd3a 502->505 506 40bced-40bd01 call 40b420 502->506 508 40bd40-40bd4f 505->508 512 40bd50-40bd5f 506->512 513 40bd03-40bd19 call 40b420 506->513 507->490 508->512 513->508 517 40bd1b-40bd2a 513->517 517->499
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: once %p is %d
                                            • API String ID: 383729395-95064319
                                            • Opcode ID: 2ad18cde1ff5e43a0f61139fa673d496163d8a26a510f5dd8c97516348e47458
                                            • Instruction ID: cd003942fe01fc53c0a5c4bd15a0b3ee817a042379b8fa094bf983745c72ee8e
                                            • Opcode Fuzzy Hash: 2ad18cde1ff5e43a0f61139fa673d496163d8a26a510f5dd8c97516348e47458
                                            • Instruction Fuzzy Hash: 9D21AE76215B4485EA15AB16E80136AA3A4FB88BD4F48813AEF4D177A5EF3CC581C38D
                                            Function 0255EA48 Relevance: 3.2, APIs: 2, Instructions: 159networkCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$ConnectOpen
                                            • String ID:
                                            • API String ID: 2790792615-0
                                            • Opcode ID: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
                                            • Instruction ID: 74b1e5add3b2a9a09fabd7797773ea78d1de902edfab7f48058f3acde357f4ba
                                            • Opcode Fuzzy Hash: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
                                            • Instruction Fuzzy Hash: 0941B230718B054FDB49EF28D8AA73977D2FB98305F11042EE48BD7651DB78DA068B4A
                                            Function 023196B4 Relevance: 1.6, APIs: 1, Instructions: 149libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 557 23196b4-231971e 558 2319723-231972c 557->558 559 2319732-23197b6 call 2318b64 LoadLibraryA 558->559 560 231994f-2319963 558->560 563 23197bb-23197c4 559->563 564 23197ca-23197d0 563->564 565 231993c-231994a 563->565 566 23197d6-23197ee 564->566 567 23198a9-2319910 call 2318b64 564->567 565->558 566->567 568 23197f4-23198a7 566->568 571 2319913-2319927 567->571 568->571 572 2319937 571->572 573 2319929-2319932 571->573 572->563 573->572
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                                            • Instruction ID: c8b83c47d9817e739afb3a6aea8b4fb381970040eb8d4b5b2de9bcc4c1c6d0cd
                                            • Opcode Fuzzy Hash: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                                            • Instruction Fuzzy Hash: 5561AB36219B8486CA64CB0AE49035AB7A4F7C8B94F504525EFCE83B28DF3DD555CB00
                                            Function 02319324 Relevance: 1.3, APIs: 1, Instructions: 87memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 575 2319324-2319358 576 231944d-2319453 575->576 577 231935e-2319374 575->577 578 2319455-2319474 VirtualAlloc 576->578 579 2319479-2319482 576->579 577->576 581 231937a-23193c2 577->581 578->579 583 23193ce-23193d4 581->583 584 2319402-2319408 583->584 585 23193d6-23193de 583->585 584->576 587 231940a-2319445 584->587 585->584 586 23193e0-23193e6 585->586 586->584 588 23193e8-2319400 586->588 587->576 588->583
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                                            • Instruction ID: b83712c66724fbf5ccbef8ae7081ef7219d7f746a06754e28db4b2874859f63d
                                            • Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                                            • Instruction Fuzzy Hash: 4C41C272628B8487CB64CB1AE49171AB7A1F3C8B94F101225FACE83B68DF3CD4518F00

                                            Non-executed Functions

                                            Function 0232239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 023223FD
                                              • Part of subcall function 02320A00: _getptd.LIBCMT ref: 02320A16
                                              • Part of subcall function 02320A00: __updatetlocinfo.LIBCMT ref: 02320A4B
                                              • Part of subcall function 02320A00: __updatetmbcinfo.LIBCMT ref: 02320A72
                                            • _errno.LIBCMT ref: 02322402
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            • _fileno.LIBCMT ref: 0232242F
                                              • Part of subcall function 02324E54: _errno.LIBCMT ref: 02324E5D
                                              • Part of subcall function 02324E54: _invalid_parameter_noinfo.LIBCMT ref: 02324E68
                                            • write_multi_char.LIBCMT ref: 02322A6B
                                            • write_string.LIBCMT ref: 02322A88
                                            • write_multi_char.LIBCMT ref: 02322AA5
                                            • write_string.LIBCMT ref: 02322B04
                                            • write_string.LIBCMT ref: 02322B3B
                                            • write_multi_char.LIBCMT ref: 02322B5D
                                            • free.LIBCMT ref: 02322B71
                                            • _isleadbyte_l.LIBCMT ref: 02322C42
                                            • write_char.LIBCMT ref: 02322C58
                                            • write_char.LIBCMT ref: 02322C79
                                            • _errno.LIBCMT ref: 02322D7C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 02322D87
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                            • String ID: $@
                                            • API String ID: 3318157856-1077428164
                                            • Opcode ID: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                                            • Instruction ID: 149cb80c69317d37b6b94d6e1d9a8f9eb178026a8553c04f862245b9fce1d3a3
                                            • Opcode Fuzzy Hash: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                                            • Instruction Fuzzy Hash: 94422172608AB486EB29CF29DD443BF7BB5F745B88F141006DE4A17AA9DB78C548CB01
                                            Function 02572F9C Relevance: 30.8, APIs: 15, Strings: 2, Instructions: 1030COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 02571600: _getptd.LIBCMT ref: 02571616
                                              • Part of subcall function 02571600: __updatetlocinfo.LIBCMT ref: 0257164B
                                              • Part of subcall function 02571600: __updatetmbcinfo.LIBCMT ref: 02571672
                                            • _errno.LIBCMT ref: 02573002
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            • _fileno.LIBCMT ref: 0257302F
                                              • Part of subcall function 02575A54: _errno.LIBCMT ref: 02575A5D
                                              • Part of subcall function 02575A54: _invalid_parameter_noinfo.LIBCMT ref: 02575A68
                                            • write_multi_char.LIBCMT ref: 0257366B
                                            • write_string.LIBCMT ref: 02573688
                                            • write_multi_char.LIBCMT ref: 025736A5
                                            • write_string.LIBCMT ref: 02573704
                                            • write_multi_char.LIBCMT ref: 0257375D
                                            • free.LIBCMT ref: 02573771
                                            • _isleadbyte_l.LIBCMT ref: 02573842
                                            • write_char.LIBCMT ref: 02573858
                                            • write_char.LIBCMT ref: 02573879
                                            • _errno.LIBCMT ref: 0257397C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 02573987
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                            • String ID: $@
                                            • API String ID: 3613058218-1077428164
                                            • Opcode ID: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
                                            • Instruction ID: d787592a40c6018d403b519966679071ebbcc61872558a2770955bf57b6677e7
                                            • Opcode Fuzzy Hash: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
                                            • Instruction Fuzzy Hash: C0527A70998B499ADB2C8B1CE845379BBE1FB95334F1406ADD8C7C3291DB34D802DB4A
                                            Function 02572528 Relevance: 29.0, APIs: 15, Strings: 1, Instructions: 1022COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 02571600: _getptd.LIBCMT ref: 02571616
                                              • Part of subcall function 02571600: __updatetlocinfo.LIBCMT ref: 0257164B
                                              • Part of subcall function 02571600: __updatetmbcinfo.LIBCMT ref: 02571672
                                            • _errno.LIBCMT ref: 0257258E
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            • _fileno.LIBCMT ref: 025725BB
                                              • Part of subcall function 02575A54: _errno.LIBCMT ref: 02575A5D
                                              • Part of subcall function 02575A54: _invalid_parameter_noinfo.LIBCMT ref: 02575A68
                                            • write_multi_char.LIBCMT ref: 02572BEB
                                            • write_string.LIBCMT ref: 02572C08
                                            • write_multi_char.LIBCMT ref: 02572C25
                                            • write_string.LIBCMT ref: 02572C84
                                            • write_multi_char.LIBCMT ref: 02572CDD
                                            • free.LIBCMT ref: 02572CF1
                                            • _isleadbyte_l.LIBCMT ref: 02572DC2
                                            • write_char.LIBCMT ref: 02572DD8
                                            • write_char.LIBCMT ref: 02572DF9
                                            • _errno.LIBCMT ref: 02572EF3
                                            • _invalid_parameter_noinfo.LIBCMT ref: 02572EFE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                            • String ID:
                                            • API String ID: 3613058218-3916222277
                                            • Opcode ID: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
                                            • Instruction ID: f7ed6623839240970a92273354ba52fc505c80c8273caae9024502c7a171d7e9
                                            • Opcode Fuzzy Hash: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
                                            • Instruction Fuzzy Hash: 5D522A30998B498ADB2C8B5CE855379BBE1FB95314F24462DDCCBC3152DB34D843878A
                                            Function 02321928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02321989
                                              • Part of subcall function 02320A00: _getptd.LIBCMT ref: 02320A16
                                              • Part of subcall function 02320A00: __updatetlocinfo.LIBCMT ref: 02320A4B
                                              • Part of subcall function 02320A00: __updatetmbcinfo.LIBCMT ref: 02320A72
                                            • _errno.LIBCMT ref: 0232198E
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            • _fileno.LIBCMT ref: 023219BB
                                              • Part of subcall function 02324E54: _errno.LIBCMT ref: 02324E5D
                                              • Part of subcall function 02324E54: _invalid_parameter_noinfo.LIBCMT ref: 02324E68
                                            • write_multi_char.LIBCMT ref: 02321FEB
                                            • write_string.LIBCMT ref: 02322008
                                            • _errno.LIBCMT ref: 023222F3
                                            • _invalid_parameter_noinfo.LIBCMT ref: 023222FE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
                                            • String ID: -$0
                                            • API String ID: 3246410048-417717675
                                            • Opcode ID: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                                            • Instruction ID: 9895dae6e2ed54cce86814d90ca3c7c3bca8bbc3b8d6794cb9e93ae5862d958f
                                            • Opcode Fuzzy Hash: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                                            • Instruction Fuzzy Hash: 6C3245726087B486EB24CF19DA447BF7B75F741B88F141106DF8A07A6ADB39C549CB00
                                            Function 02325914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __doserrno_errno_invalid_parameter_noinfo
                                            • String ID: U
                                            • API String ID: 3902385426-4171548499
                                            • Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                                            • Instruction ID: e35a0dbdd35af75447294aa6a773b800f3cb5c775c4dbf3170ae33df22d42f4c
                                            • Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                                            • Instruction Fuzzy Hash: 160212732147A586DB24CF28E48836EB765F788B98F944116EB8A47B58DB3DC24DCB10
                                            Function 004020B0 Relevance: 24.8, APIs: 5, Strings: 11, Instructions: 818COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: memcpy
                                            • String ID: .. $ not in 0 .. $ notin $ notin $00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$IndexDefect$RangeDefect$fatal.nim$index $sysFatal$value out of range:
                                            • API String ID: 3510742995-4272289982
                                            • Opcode ID: ac4e633d3e089151b616a83183c5873853405b69fc0888cad64d7c5ea4ac35e2
                                            • Instruction ID: 139d7255d6caab5e60f8fe1b97769dcebf786f24b373ad13566b6dae67c42522
                                            • Opcode Fuzzy Hash: ac4e633d3e089151b616a83183c5873853405b69fc0888cad64d7c5ea4ac35e2
                                            • Instruction Fuzzy Hash: 4A5279B2709B8486CB04CF16E94436EBAA1E785BD4F448137EF996BBD6DA3CC141C709
                                            Function 02567B38 Relevance: 13.3, APIs: 10, Instructions: 790COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$_errno_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3442832105-0
                                            • Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                                            • Instruction ID: d63e76d1219a4acc62b8cfb7990155713016bb8a1cbdf859b61aae65f3610daa
                                            • Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                                            • Instruction Fuzzy Hash: 0C52D02061CE899BE71AAB2CD8456F1F3E0FFA8309F445618D986C7521FB34E587CB85
                                            Function 02316F38 Relevance: 13.0, APIs: 10, Instructions: 545COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _snprintf.LIBCMT ref: 02317166
                                            • _snprintf.LIBCMT ref: 02317183
                                            • _snprintf.LIBCMT ref: 023170A5
                                              • Part of subcall function 0231EA3C: _errno.LIBCMT ref: 0231EA73
                                              • Part of subcall function 0231EA3C: _invalid_parameter_noinfo.LIBCMT ref: 0231EA7E
                                            • _snprintf.LIBCMT ref: 023173D8
                                            • _snprintf.LIBCMT ref: 02317734
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$_errno_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3442832105-0
                                            • Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                                            • Instruction ID: f192b28abaa97a7befa3a22c8f6fbe920b7639099d2fc3c37842e47045a9dc08
                                            • Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                                            • Instruction Fuzzy Hash: F932B762614E8592EB29CF2DE0012E9F3B1FF98799F446501DF8917B24EF39D2A6C740
                                            Function 00409020 Relevance: 12.0, APIs: 8, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlCaptureContext.KERNEL32 ref: 00409034
                                            • RtlLookupFunctionEntry.KERNEL32 ref: 0040904B
                                            • RtlVirtualUnwind.KERNEL32 ref: 0040908D
                                            • SetUnhandledExceptionFilter.KERNEL32 ref: 004090D1
                                            • UnhandledExceptionFilter.KERNEL32 ref: 004090DE
                                            • GetCurrentProcess.KERNEL32 ref: 004090E4
                                            • TerminateProcess.KERNEL32 ref: 004090F2
                                            • abort.MSVCRT ref: 004090F8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
                                            • String ID:
                                            • API String ID: 4278921479-0
                                            • Opcode ID: bb24dcd72ede2996afa9bc0150d18b4d41fca027df9be25fbeb809aa15379045
                                            • Instruction ID: 1fa863f79e76734e06136947bea85831ffdf298910a00a75445ae38b2a455a66
                                            • Opcode Fuzzy Hash: bb24dcd72ede2996afa9bc0150d18b4d41fca027df9be25fbeb809aa15379045
                                            • Instruction Fuzzy Hash: 752134B1210F44D6EB008B61FC8439A33A4F709B9AF44403ADB4E53766EF38C549C709
                                            Function 00408F40 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32 ref: 00408F85
                                            • GetCurrentProcessId.KERNEL32 ref: 00408F90
                                            • GetCurrentThreadId.KERNEL32 ref: 00408F99
                                            • GetTickCount.KERNEL32 ref: 00408FA1
                                            • QueryPerformanceCounter.KERNEL32 ref: 00408FAE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                            • String ID:
                                            • API String ID: 1445889803-0
                                            • Opcode ID: f81bd6a2d954b141d02c597524e54509314565fd85326cddcb6073b702ce88a5
                                            • Instruction ID: 1ab052486b6980cd13c945f267ece4b33b31840eb03ce5e8bfca5b0c136d368b
                                            • Opcode Fuzzy Hash: f81bd6a2d954b141d02c597524e54509314565fd85326cddcb6073b702ce88a5
                                            • Instruction Fuzzy Hash: E8118C66711B1486FB204B25FC0831673A0F789BB6F081671AE9C53BA4EB3DC8C5C348
                                            Function 0232B7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $<$ailure #%d - %s$e '
                                            • API String ID: 0-963976815
                                            • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                            • Instruction ID: 382187fff49568d689fad987d8cd5b25ce7abffcf61c17a4a57327b3fda716f4
                                            • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                            • Instruction Fuzzy Hash: 4B92D2B2325A8087DB58CB1DE4A573AB7A1F3C8B84F44512AEB9B87794CE3CD551CB04
                                            Function 0040D110 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: DebuggerExceptionPresentRaisefree
                                            • String ID:
                                            • API String ID: 462861877-0
                                            • Opcode ID: db907abfda9dd41e16d4645478f89d6fbd9f9d8eecfa10e887882d7b24497a4f
                                            • Instruction ID: 0d78b2f57df09908e35439bc228b784935e18de2371cc85dad8d2a61f81cdcac
                                            • Opcode Fuzzy Hash: db907abfda9dd41e16d4645478f89d6fbd9f9d8eecfa10e887882d7b24497a4f
                                            • Instruction Fuzzy Hash: 9321D5727017848BFA258FA5A84035B7694EB487E4F08423A9F4E5B7C1EF3CC949C604
                                            Function 00401B20 Relevance: 2.9, Strings: 2, Instructions: 402COMMON
                                            Download Yara Rule
                                            Strings
                                            • IndexDefect, xrefs: 0040704F
                                            • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00401B48, 0040205E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$IndexDefect
                                            • API String ID: 0-1475264344
                                            • Opcode ID: 987d171a259b67f2fc5e837d494cce35584c05ccefa1364bda7b5a8fcee2f098
                                            • Instruction ID: 4487049c97ed80a629223fa68b3a00cad483b1da0384370679db1a397d2c2f51
                                            • Opcode Fuzzy Hash: 987d171a259b67f2fc5e837d494cce35584c05ccefa1364bda7b5a8fcee2f098
                                            • Instruction Fuzzy Hash: 83D1ACA37096D48BCB25CB27A9003B9BE629399BC5F448133EF8997BE6D53CC502D705
                                            Function 0232C397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: ailure #%d - %s$e '
                                            • API String ID: 0-4163927988
                                            • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                            • Instruction ID: 60aae165bfc84964545b7f5beba85bf95fd664ff921401e48698e734981942d6
                                            • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                            • Instruction Fuzzy Hash: E4510DB62146508BDB14CB0DE49472AB7E1F3CC794F84561AE38B8B768DA3CD745CB40
                                            Function 025701A8 Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _initp_misc_winsig
                                            • String ID:
                                            • API String ID: 2710132595-0
                                            • Opcode ID: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
                                            • Instruction ID: c3bfdbefa136ca24a0ef41226ea53ad0748f40e1e6c8779910a2fdfef584c307
                                            • Opcode Fuzzy Hash: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
                                            • Instruction Fuzzy Hash: 61A1CC71619A098FEF94FFB5E8989AA37B2F768301321893A904AC3174DBBCD545CF44
                                            Function 0257DBF0 Relevance: .8, Instructions: 783COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction ID: d2813578896444667d55133aa5b949e9ff813d74310c13b704bcaff42d64bc9f
                                            • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction Fuzzy Hash: 8B520A312286558FD31CCB1CC5B1B7AB7E1FB89340F44896DE287CB692C639DA45CB91
                                            Function 0257D280 Relevance: .8, Instructions: 761COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction ID: bd505f3fa0af235cfb62bc91b7ffcb250c32e9cd16b84365ead805b983ab0aa6
                                            • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction Fuzzy Hash: 0752FE312286558FD31CCF1CD4A1E7AB7E1FB8D340F448A6DE28ACB692C639D545CB91
                                            Function 0232CFF0 Relevance: .6, Instructions: 617COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction ID: d03e926d629e47d30536953b8627a7c04ed4e7bff3f886876d7d87fc2f732a5f
                                            • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction Fuzzy Hash: B55240B23149458BDB08CB1DE4A573AB7A1F3C9B80F44852AE7978B799CE3DD654CB00
                                            Function 0232C680 Relevance: .6, Instructions: 592COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction ID: d7d1ac0ad26b2fdb76843183cc5d5aef81cc6bed68beb4552b474e6eaa9bd14d
                                            • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction Fuzzy Hash: 065251B23149808BD708CF1DE4A573AB7E1F3C9B80F44852AE7868B799CA7DD645CB40
                                            Function 02309680 Relevance: .4, Instructions: 404COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                                            • Instruction ID: 40eb80aeda8014e7cd1113d868d1e3bcfe53d9a318e578e84bd941749297ac62
                                            • Opcode Fuzzy Hash: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                                            • Instruction Fuzzy Hash: CFE19472704A4286DB30DB26E4E03AEA7A6F784B98F900115DE4D87BD9EF38D945CF50
                                            Function 0230CE3C Relevance: .4, Instructions: 374COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f74bee57ece39a3ee739721ddd6b8b7c874878cbec99e002ba7fd2a6b2694298
                                            • Instruction ID: ad2f95aca1f14930b7c4586ad593c89b477db2d3ed4f090e32959f06977ffab3
                                            • Opcode Fuzzy Hash: f74bee57ece39a3ee739721ddd6b8b7c874878cbec99e002ba7fd2a6b2694298
                                            • Instruction Fuzzy Hash: 2EE1B072B1074587EB28DB75EC9036A63A2F788758F489525CB8E97B91EF3CE142C710
                                            Function 0230916C Relevance: .4, Instructions: 367COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                                            • Instruction ID: f4f68e7f162c3702be3ee408d94be190074e9e9c467ac74cd4ca16bce6447fef
                                            • Opcode Fuzzy Hash: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                                            • Instruction Fuzzy Hash: C4D1F772304A8692DF20DFA9D4E03AEA766F7C4B98B801112DF4E97AD9EF34C545CB50
                                            Function 00403170 Relevance: .2, Instructions: 247COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 26ab33150dc87537f52f510b2e2ba2788a4a1a4a0e08b5ed49d10625436f39f3
                                            • Instruction ID: 130ab9c66f48fc49147ca85b718d939e63edffa8eb978330eb583c533b4ce2b2
                                            • Opcode Fuzzy Hash: 26ab33150dc87537f52f510b2e2ba2788a4a1a4a0e08b5ed49d10625436f39f3
                                            • Instruction Fuzzy Hash: 14818972710A9942DB299F06D9503BD2A19EB41BC6F54823FDE2A2BBC5CE7CC744E344
                                            Function 02310334 Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                                            • Instruction ID: da8a7b0252b395f43669229ec63b0206e8a7c2e96de3c4745e1e1f70219a61b3
                                            • Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                                            • Instruction Fuzzy Hash: E4614732718B4486EB28DF65E88831E73A1F788B94F00552ADE8D83B54DF7DC695CB50
                                            Function 00460360 Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ddc742aaed828b3c152fccf7f922b45e1de6538d3417b6e85cad7233f89815a
                                            • Instruction ID: 176edfa63ab6d7091f41a4adf3b026887b019585281315ecd56fd0d161b059ae
                                            • Opcode Fuzzy Hash: 0ddc742aaed828b3c152fccf7f922b45e1de6538d3417b6e85cad7233f89815a
                                            • Instruction Fuzzy Hash: 4B4141D7A4EEC44BE3334ABC4D6A16B2F50E5A2E1634E809BC7C046343F95E6C45875B
                                            Function 004603A8 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b46f11850a27ad5e7fd551e2bb98776caf15904dae9729d6ef039d5c0aafcff
                                            • Instruction ID: 36e8ef160cf6648d11ce99ecd9595eb06e52ad85a45ab5d40c31406b9e80f10e
                                            • Opcode Fuzzy Hash: 9b46f11850a27ad5e7fd551e2bb98776caf15904dae9729d6ef039d5c0aafcff
                                            • Instruction Fuzzy Hash: 6A311CE794EEC44FE3334AB88D6A16B3F50E5A2E0534E909BC7C042383F95E5846865B
                                            Function 00460498 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08b35e1b5f6a629d6a7a56c5a219b4f95b7861e3c92cf6fbf46a5b912a6fa943
                                            • Instruction ID: 4f396a1652b34ae0b81d28ae8c1af0f663cbb833eb6d2d48511bb4e892297c7f
                                            • Opcode Fuzzy Hash: 08b35e1b5f6a629d6a7a56c5a219b4f95b7861e3c92cf6fbf46a5b912a6fa943
                                            • Instruction Fuzzy Hash: 04E07D9B59FBC44BE3724AB84C2612F3F90A592E1534ED05BD7C006357FA5E1C018747
                                            Function 0040F182 Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6c19b7c04672bdd807de61d25cecd1bb598812f09de83fe84ccece8b14e096b
                                            • Instruction ID: 8d6d0f526f5991f3f2719662f04be795b625ebb6f75d0d077600621befd88549
                                            • Opcode Fuzzy Hash: d6c19b7c04672bdd807de61d25cecd1bb598812f09de83fe84ccece8b14e096b
                                            • Instruction Fuzzy Hash: FCB01263498C4040C3000B34CC113A12734C717213F082820424442102D51EC004D119
                                            Function 00407910 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 83windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: memcpymemset$ErrorLastMessageexit
                                            • String ID: (bad format; library may be wrong architecture)$could no$could no$could not load: $t load: $t load:
                                            • API String ID: 4261093211-3226591272
                                            • Opcode ID: 5c3dc128efc428a3275372bf247cbb7ab0254a3da5540f214b369ba6ceb24773
                                            • Instruction ID: bc7baa4db96d661a53ad6f20f97c030e1de77e3f49d0b69ef48cc7b89f3fb243
                                            • Opcode Fuzzy Hash: 5c3dc128efc428a3275372bf247cbb7ab0254a3da5540f214b369ba6ceb24773
                                            • Instruction Fuzzy Hash: 963103A4B10B5096EF24E763E88970E6355F789B88F84003AAF4D17BC5EE7CC601C309
                                            Function 00409540 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNEL32(0045F610,00007FFB2B31ADA0,?,?,?,00000001,0040124C), ref: 0040966D
                                            Strings
                                            • Unknown pseudo relocation bit size %d., xrefs: 004097DA
                                            • Unknown pseudo relocation protocol version %d., xrefs: 004097EE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                            • API String ID: 544645111-395989641
                                            • Opcode ID: 0d52ca2488176759e471788828c9a841f5c47ec2d898bbec25ad29b593758d2e
                                            • Instruction ID: 792004d391c2955495595ebe6980ceca82694c3fff85f4de56ca0c4668c473bb
                                            • Opcode Fuzzy Hash: 0d52ca2488176759e471788828c9a841f5c47ec2d898bbec25ad29b593758d2e
                                            • Instruction Fuzzy Hash: 089148B2B1064087EB289B7AD88071E6351B7957A4F54853BCE09A77E7DA3DCC82C30D
                                            Function 0040CAF0 Relevance: 16.7, APIs: 11, Instructions: 153sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CreateEventSleep
                                            • String ID:
                                            • API String ID: 3100162736-0
                                            • Opcode ID: 70b18ee85442ce07223aefa82a0f7b74d5afbb088bba213f01f88a6fe24a6a28
                                            • Instruction ID: d2c6c81d3b24b5666eb54a8fb0ee2db3d262af85fb7ced23c32579efc86f29e9
                                            • Opcode Fuzzy Hash: 70b18ee85442ce07223aefa82a0f7b74d5afbb088bba213f01f88a6fe24a6a28
                                            • Instruction Fuzzy Hash: 3B516B72205740C6E7249F31E89476A32A4FB45BA8F14433ADE2A677D8DB3CC886C749
                                            Function 02576E1C Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 02576E4E
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            • __doserrno.LIBCMT ref: 02576E45
                                              • Part of subcall function 02571CA8: _getptd_noexit.LIBCMT ref: 02571CAC
                                            • __doserrno.LIBCMT ref: 02576EAB
                                            • _errno.LIBCMT ref: 02576EB2
                                            • _invalid_parameter_noinfo.LIBCMT ref: 02576F16
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 388111225-0
                                            • Opcode ID: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
                                            • Instruction ID: aa13b6a051a232ed88e5331b557d59f02270026b3b2e82165244c9650f65856f
                                            • Opcode Fuzzy Hash: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
                                            • Instruction Fuzzy Hash: D73109712A8F068FD319AF68F88223D37D5FFC2320B51465DD81A872A1D774DC028B9A
                                            Function 02321B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: write_multi_char$write_string$free
                                            • String ID:
                                            • API String ID: 2630409672-3916222277
                                            • Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                                            • Instruction ID: 94b457dd8e7faec56a4b1620dba6c5074affa93c8eaf2a0cafe101a06186eaa0
                                            • Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                                            • Instruction Fuzzy Hash: 73914333608BA486EB20CB65EA043AF7B75F785B98F145106DF8E17B99DB39C549CB00
                                            Function 00409A90 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: signal
                                            • String ID: CCG
                                            • API String ID: 1946981877-1584390748
                                            • Opcode ID: 0ab87b4a50ea78b41d28c6267fe576f2f59e1723e3c7c2edc2ef254713f30041
                                            • Instruction ID: c07ff436305f65fca0d3e9686ad711302059dd880c37d3d19a689c5147771547
                                            • Opcode Fuzzy Hash: 0ab87b4a50ea78b41d28c6267fe576f2f59e1723e3c7c2edc2ef254713f30041
                                            • Instruction Fuzzy Hash: 04316060B0950045FA789279645533A3161BB9A338F28873BD92AE73E7CD3DACC1821F
                                            Function 0040E4F0 Relevance: 15.2, APIs: 10, Instructions: 201synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForMultipleObjects.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FFB2CE5F230,0040E830,?,?,0040EC9B), ref: 0040E53B
                                            • WaitForSingleObject.KERNEL32 ref: 0040E56F
                                            • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FFB2CE5F230,0040E830,?,?,0040EC9B), ref: 0040E5AA
                                            • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FFB2CE5F230,0040E830,?,?,0040EC9B), ref: 0040E5FD
                                            • ResetEvent.KERNEL32 ref: 0040E775
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: Wait$ObjectSingle$EventMultipleObjectsReset
                                            • String ID:
                                            • API String ID: 654736092-0
                                            • Opcode ID: 5f293930599933c415515305ebfb5741409f659763790fc2eeeb6062e36a501e
                                            • Instruction ID: 793158b392908c92af3cef7151643e908834b37e5d0ca55c2dd239f64044f790
                                            • Opcode Fuzzy Hash: 5f293930599933c415515305ebfb5741409f659763790fc2eeeb6062e36a501e
                                            • Instruction Fuzzy Hash: 4A51BF2130420042FB246BABADC136F02499B95798F984D37DF49A67D1E93ECCA7921A
                                            Function 004085F0 Relevance: 15.2, APIs: 6, Strings: 4, Instructions: 155stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: memcpy$memsetstrlen
                                            • String ID: excepti$Error: u$nhandled$on:
                                            • API String ID: 2350177629-1220997370
                                            • Opcode ID: 3a188c2db38c1550aa1cc745d18a5f31c053dd965958c4e3028a7b69cc3c6742
                                            • Instruction ID: 73d335d02615490dc27db1ba43bc93333880fd435138239ff8f71ef3fda031ca
                                            • Opcode Fuzzy Hash: 3a188c2db38c1550aa1cc745d18a5f31c053dd965958c4e3028a7b69cc3c6742
                                            • Instruction Fuzzy Hash: 49510522315B4091EE11AF12EA057AA6350F781BC4F98853BEF8A2B785EF3CD555C309
                                            Function 02577C08 Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 02577C33
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            • __doserrno.LIBCMT ref: 02577C2B
                                              • Part of subcall function 02571CA8: _getptd_noexit.LIBCMT ref: 02571CAC
                                            • __lock_fhandle.LIBCMT ref: 02577C77
                                            • _lseeki64_nolock.LIBCMT ref: 02577C90
                                            • _unlock_fhandle.LIBCMT ref: 02577CB3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
                                            • String ID:
                                            • API String ID: 2644381645-0
                                            • Opcode ID: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
                                            • Instruction ID: e6f7309843403655be8f651cd065c67d73037e512ae98bd3aaa7ef9d6c77f9dc
                                            • Opcode Fuzzy Hash: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
                                            • Instruction Fuzzy Hash: 0C213A30698A014FF319AB5CF84233DB6D6FFCE321F55065DE01AC72A1D77458018BAA
                                            Function 02577A90 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 02577ABB
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            • __doserrno.LIBCMT ref: 02577AB3
                                              • Part of subcall function 02571CA8: _getptd_noexit.LIBCMT ref: 02571CAC
                                            • __lock_fhandle.LIBCMT ref: 02577AFF
                                            • _lseek_nolock.LIBCMT ref: 02577B18
                                            • _unlock_fhandle.LIBCMT ref: 02577B39
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
                                            • String ID:
                                            • API String ID: 1078912150-0
                                            • Opcode ID: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
                                            • Instruction ID: 1d5c35e418e64b2daa104d906177aeaa79c6d4e7ac304a6d2019fe9bec5d1643
                                            • Opcode Fuzzy Hash: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
                                            • Instruction Fuzzy Hash: 1F2107316986014FD3196B68FC8237DB7D1FFC6331F15065DD45E87291E77458018BAA
                                            Function 0232621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0232624E
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            • __doserrno.LIBCMT ref: 02326245
                                              • Part of subcall function 023210A8: _getptd_noexit.LIBCMT ref: 023210AC
                                            • __doserrno.LIBCMT ref: 023262AB
                                            • _errno.LIBCMT ref: 023262B2
                                            • _invalid_parameter_noinfo.LIBCMT ref: 02326316
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 388111225-0
                                            • Opcode ID: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                                            • Instruction ID: 670a99c08a6835d409c155f6bc057a00cf5dd4c728eaafac9100ba41511c25f7
                                            • Opcode Fuzzy Hash: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                                            • Instruction Fuzzy Hash: 572136323107B486C7266F659E8132D365ABBC1BA0F858129CF69277A2CB78C44ECF50
                                            Function 004075E0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 57stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • SIGFPE: Arithmetic error., xrefs: 00407608
                                            • SIGILL: Illegal operation., xrefs: 0040761E
                                            • SIGINT: Interrupted by Ctrl-C., xrefs: 004075E4
                                            • unknown signal, xrefs: 00407614
                                            • SIGSEGV: Illegal storage access. (Attempt to read from nil?), xrefs: 004075F0
                                            • SIGABRT: Abnormal termination., xrefs: 004075FC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: exitstrlen
                                            • String ID: SIGABRT: Abnormal termination.$SIGFPE: Arithmetic error.$SIGILL: Illegal operation.$SIGINT: Interrupted by Ctrl-C.$SIGSEGV: Illegal storage access. (Attempt to read from nil?)$unknown signal
                                            • API String ID: 4213389737-3987738871
                                            • Opcode ID: 7083bacc55c54cadf4e226d2b89bf412faec1f40c517a61529750faa2a6676d6
                                            • Instruction ID: 8a7ee2ab0c04ae1dcaede8fea5fbbab4dc121a1e6145f7c85218f631294eeb7c
                                            • Opcode Fuzzy Hash: 7083bacc55c54cadf4e226d2b89bf412faec1f40c517a61529750faa2a6676d6
                                            • Instruction Fuzzy Hash: 2911DD62A28F4096EB08CB15F88036A7766F7847C8FC4803AEA4F13BA5DB3CC445C749
                                            Function 0040C610 Relevance: 13.7, APIs: 9, Instructions: 170COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetHandleInformation.KERNEL32 ref: 0040C649
                                              • Part of subcall function 0040B420: TlsGetValue.KERNEL32 ref: 0040B43C
                                            • SetEvent.KERNEL32 ref: 0040C6A8
                                            • SetEvent.KERNEL32 ref: 0040C79F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: Event$HandleInformationValue
                                            • String ID:
                                            • API String ID: 211894710-0
                                            • Opcode ID: 0b33cd9ce3a8a4f4c457f7f3b7084165053afb707c15325a94261b9c8985c2d7
                                            • Instruction ID: 1195ec8958e7dcde6adc29c0c82d8ff03a11be5d1b09b5c60e888fe0fd953098
                                            • Opcode Fuzzy Hash: 0b33cd9ce3a8a4f4c457f7f3b7084165053afb707c15325a94261b9c8985c2d7
                                            • Instruction Fuzzy Hash: EE51D563601A40C6DB25EB35988437A2760EB85BB9F084736DF29673D5EF3DC8859309
                                            Function 0232F150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0232F176
                                            • _errno.LIBCMT ref: 0232F16B
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1812809483-0
                                            • Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                                            • Instruction ID: ca0066228d39cdfa63cd7e5f18f54230c1de6b2a00e18904d15f3f34632c80e3
                                            • Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                                            • Instruction Fuzzy Hash: 1841397A6203B586DF24AB22D6403B977B1E756FE8FD04221DB9447F85D738D14ACB80
                                            Function 0040E850 Relevance: 13.6, APIs: 9, Instructions: 114COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040E7C0: EnterCriticalSection.KERNEL32(?,?,004015EB,?,?,?,0040EC9B), ref: 0040E7F0
                                              • Part of subcall function 0040E7C0: LeaveCriticalSection.KERNEL32(?,?,0040EC9B,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E806
                                            • TryEnterCriticalSection.KERNEL32 ref: 0040E917
                                            • LeaveCriticalSection.KERNEL32 ref: 0040E953
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID:
                                            • API String ID: 3168844106-0
                                            • Opcode ID: b80d242db8871881959d63be79deda96f2e820f442738c3c62611786bb3a5a8f
                                            • Instruction ID: 8010976068a9ec9b0fe6d1c59ca2451cd508571b3fb02b2a82bd86f65d7e79d4
                                            • Opcode Fuzzy Hash: b80d242db8871881959d63be79deda96f2e820f442738c3c62611786bb3a5a8f
                                            • Instruction Fuzzy Hash: A731A32370060485DB50EF37EC107AA2350B781BB8F9C4A379E69A73D4DE79C896C319
                                            Function 02576434 Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0257645F
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            • __doserrno.LIBCMT ref: 02576457
                                              • Part of subcall function 02571CA8: _getptd_noexit.LIBCMT ref: 02571CAC
                                            • __lock_fhandle.LIBCMT ref: 025764A3
                                            • _unlock_fhandle.LIBCMT ref: 025764DD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
                                            • String ID:
                                            • API String ID: 2464146582-0
                                            • Opcode ID: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
                                            • Instruction ID: 5f642d4cf6135f1ae90a2568026df0a053e0bc0e654b06a9657d5c1e51cd6e21
                                            • Opcode Fuzzy Hash: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
                                            • Instruction Fuzzy Hash: 57214930A9CE014FE319AB68F89233C36D6FFC2331F15066DD11A87295D7649C018BAE
                                            Function 0040E350 Relevance: 13.6, APIs: 9, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            • calloc.MSVCRT ref: 0040E37B
                                            • CreateSemaphoreA.KERNEL32 ref: 0040E3BC
                                            • CreateSemaphoreA.KERNEL32 ref: 0040E3D2
                                            • InitializeCriticalSection.KERNEL32(?,0040D7A2,?,00000008,?,0040D83D,?,?,?,0040D8B5,?,?,?,?,0040DD04), ref: 0040E3F7
                                            • InitializeCriticalSection.KERNEL32(?,0040D7A2,?,00000008,?,0040D83D,?,?,?,0040D8B5,?,?,?,?,0040DD04), ref: 0040E3FD
                                            • InitializeCriticalSection.KERNEL32(?,0040D7A2,?,00000008,?,0040D83D,?,?,?,0040D8B5,?,?,?,?,0040DD04), ref: 0040E403
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CriticalInitializeSection$CreateSemaphore$calloc
                                            • String ID:
                                            • API String ID: 2075313795-0
                                            • Opcode ID: 7c5b2dee2a6b0f7c37b70cb329606f72fd8f9d31c8e99c7063dea2c181cd0ea4
                                            • Instruction ID: 950476c27c72f8ac3162e1b4707e53c95a1688c5878a1ab4cfd70a3a5ba509ee
                                            • Opcode Fuzzy Hash: 7c5b2dee2a6b0f7c37b70cb329606f72fd8f9d31c8e99c7063dea2c181cd0ea4
                                            • Instruction Fuzzy Hash: 2D21DE3370270086EB699F76F9507AA2290EB45B99F084636CE6D4B3C8EE38C8D5C305
                                            Function 02575C58 Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 02575C79
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            • __doserrno.LIBCMT ref: 02575C71
                                              • Part of subcall function 02571CA8: _getptd_noexit.LIBCMT ref: 02571CAC
                                            • __lock_fhandle.LIBCMT ref: 02575CBD
                                            • _close_nolock.LIBCMT ref: 02575CD0
                                            • _unlock_fhandle.LIBCMT ref: 02575CE9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
                                            • String ID:
                                            • API String ID: 2140805544-0
                                            • Opcode ID: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
                                            • Instruction ID: 59954942600dab4e71423586d040b96142bc2d725d16f9f16529a749ef45f2d8
                                            • Opcode Fuzzy Hash: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
                                            • Instruction Fuzzy Hash: 541138325A9E414FD315AB68FC9532C7AD5FFC1321FA60A5CD81B872E1EA7498008B6D
                                            Function 02327008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 02327033
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            • __doserrno.LIBCMT ref: 0232702B
                                              • Part of subcall function 023210A8: _getptd_noexit.LIBCMT ref: 023210AC
                                            • __lock_fhandle.LIBCMT ref: 02327077
                                            • _lseeki64_nolock.LIBCMT ref: 02327090
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                                            • String ID:
                                            • API String ID: 4140391395-0
                                            • Opcode ID: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                                            • Instruction ID: 131e5267e13bd04020953245a3cd981c9c0e5c67077d773fa7004c0a3225ffb8
                                            • Opcode Fuzzy Hash: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                                            • Instruction Fuzzy Hash: 5A1121327102B045EB222F269D0432DFA22B780BB5F49D7289E391B3D2CB3C844DCB65
                                            Function 02326E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 02326EBB
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            • __doserrno.LIBCMT ref: 02326EB3
                                              • Part of subcall function 023210A8: _getptd_noexit.LIBCMT ref: 023210AC
                                            • __lock_fhandle.LIBCMT ref: 02326EFF
                                            • _lseek_nolock.LIBCMT ref: 02326F18
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                                            • String ID:
                                            • API String ID: 310312816-0
                                            • Opcode ID: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                                            • Instruction ID: e7f49048673746f419230ba945584e8b485e65d7badd0b483565e3b15d7838e8
                                            • Opcode Fuzzy Hash: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                                            • Instruction Fuzzy Hash: EF1159327107B056DB22AF25D94132D7666BF80BA1F498124DB59177D1CB7CC84DCF54
                                            Function 0256FF6C Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$FreeHeap_errno
                                            • String ID:
                                            • API String ID: 2737118440-0
                                            • Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                                            • Instruction ID: 8289ecc8051c032a14c44ed9be2487dc4e6569983466467a2f4a9c4a28dde0be
                                            • Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                                            • Instruction Fuzzy Hash: 31318D30665A0A8FEB64EF58FC98B7476D1F798319FA44069840AC36A0CB6CC945CF18
                                            Function 0231F36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno
                                            • String ID:
                                            • API String ID: 2288870239-0
                                            • Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                                            • Instruction ID: aca89c9916bf0bb5a5dffd3f7de9ebe9c3ca45a646917dc76377c36ccea0157c
                                            • Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                                            • Instruction Fuzzy Hash: DB312A62302B4581FF2CFF15E8A93282361BB94BA4F8C1A66CD1E4AA61DF3CD645C701
                                            Function 0040C050 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: ErrorLastmemsetrealloc$Value
                                            • String ID: DV@
                                            • API String ID: 1675512986-317671244
                                            • Opcode ID: 79c31ebe7f4bdeecb631282dbcd9b4f8ec3ec40d3a464655e247d68361bb97cb
                                            • Instruction ID: aba79bb59176af2bf5a1fb3d79f11858a982568f1b6aeac8b99ea9cbc0595748
                                            • Opcode Fuzzy Hash: 79c31ebe7f4bdeecb631282dbcd9b4f8ec3ec40d3a464655e247d68361bb97cb
                                            • Instruction Fuzzy Hash: B121A132311740DADB14DF3B988071E2791FB48FA8F4404369E4A17395EE3DC496C789
                                            Function 0257FD50 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                            Download Yara Rule
                                            APIs
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0257FD76
                                            • _errno.LIBCMT ref: 0257FD6B
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1812809483-0
                                            • Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                                            • Instruction ID: df4cdaa694a6412fc3302ad7f6120a4fd1c706a9b3630bcb9d3d3a2089dfc6ca
                                            • Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                                            • Instruction Fuzzy Hash: 07419B30168E1B4FDB64EB28E4402B977D1FF54325F94026EE89AC7995E734C841C78E
                                            Function 02325834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0232585F
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            • __doserrno.LIBCMT ref: 02325857
                                              • Part of subcall function 023210A8: _getptd_noexit.LIBCMT ref: 023210AC
                                            • __lock_fhandle.LIBCMT ref: 023258A3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                                            • String ID:
                                            • API String ID: 2611593033-0
                                            • Opcode ID: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                                            • Instruction ID: fb83e5719c6e854ba1394326b2a5c2e18e97bf6c9c704f5b7a28ccaf0553aee4
                                            • Opcode Fuzzy Hash: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                                            • Instruction Fuzzy Hash: 88115932B102B046D7192F25DD4033D7A62A780BA1F898125DA191B3D2CBBCC949CB65
                                            Function 02325058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 02325079
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            • __doserrno.LIBCMT ref: 02325071
                                              • Part of subcall function 023210A8: _getptd_noexit.LIBCMT ref: 023210AC
                                            • __lock_fhandle.LIBCMT ref: 023250BD
                                            • _close_nolock.LIBCMT ref: 023250D0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                                            • String ID:
                                            • API String ID: 4060740672-0
                                            • Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                                            • Instruction ID: 09d9bef296c3a15ac2791723105ef42564cc46987399ead0e5dc9d2a0a41914e
                                            • Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                                            • Instruction Fuzzy Hash: FC1129327106B445D7296F35ED8432C7A12A780BA1F998634CA5E473D2CB78C54ECB94
                                            Function 0255460C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 025546A9
                                              • Part of subcall function 0256F284: _FF_MSGBANNER.LIBCMT ref: 0256F2B4
                                              • Part of subcall function 0256F284: _NMSG_WRITE.LIBCMT ref: 0256F2BE
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F2F2
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F2FD
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F308
                                            • malloc.LIBCMT ref: 025546B3
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F318
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F31D
                                            • malloc.LIBCMT ref: 025546BE
                                            • free.LIBCMT ref: 0255487E
                                            • free.LIBCMT ref: 02554886
                                            • free.LIBCMT ref: 0255488E
                                              • Part of subcall function 025554F0: malloc.LIBCMT ref: 0255553A
                                              • Part of subcall function 025554F0: malloc.LIBCMT ref: 02555545
                                              • Part of subcall function 025554F0: free.LIBCMT ref: 0255562C
                                              • Part of subcall function 025554F0: free.LIBCMT ref: 02555634
                                            • free.LIBCMT ref: 0255489A
                                            • free.LIBCMT ref: 025548A7
                                            • free.LIBCMT ref: 025548B4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$malloc$_errno$_callnewh
                                            • String ID:
                                            • API String ID: 4160633307-0
                                            • Opcode ID: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
                                            • Instruction ID: c08d54a791e62ffed68687af53f575821a0a2c86d32cb4e138457965053fa312
                                            • Opcode Fuzzy Hash: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
                                            • Instruction Fuzzy Hash: BC81C430718B994BC729AE6CD86577A77D2FBC5714F44025FD88BC3242EF24D8468A8A
                                            Function 02303A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 02303AA9
                                              • Part of subcall function 0231E684: _FF_MSGBANNER.LIBCMT ref: 0231E6B4
                                              • Part of subcall function 0231E684: _NMSG_WRITE.LIBCMT ref: 0231E6BE
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E6F2
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E6FD
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E708
                                            • malloc.LIBCMT ref: 02303AB3
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E718
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E71D
                                            • malloc.LIBCMT ref: 02303ABE
                                            • free.LIBCMT ref: 02303C7E
                                            • free.LIBCMT ref: 02303C86
                                            • free.LIBCMT ref: 02303C8E
                                              • Part of subcall function 023048F0: malloc.LIBCMT ref: 0230493A
                                              • Part of subcall function 023048F0: malloc.LIBCMT ref: 02304945
                                              • Part of subcall function 023048F0: free.LIBCMT ref: 02304A2C
                                              • Part of subcall function 023048F0: free.LIBCMT ref: 02304A34
                                            • free.LIBCMT ref: 02303C9A
                                            • free.LIBCMT ref: 02303CA7
                                            • free.LIBCMT ref: 02303CB4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$malloc$_errno$_callnewh
                                            • String ID:
                                            • API String ID: 4160633307-0
                                            • Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                                            • Instruction ID: 00da23a19cd7c5c1e9559288d9132866ef889ec7a64f4a39de076a685b7d1fa2
                                            • Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                                            • Instruction Fuzzy Hash: 3561026231478546CF24EF2694A0B6F7B52FB85FC8F444029CE4A87B85DF39C446CB14
                                            Function 00404E00 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 177COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: memcpy
                                            • String ID: .. $ notin $RangeDefect$value out of range:
                                            • API String ID: 3510742995-1184348040
                                            • Opcode ID: 45789f6dd39c18b8abe4ad4726f3c1d9abe1c64d6c9238dfd5403cb81f8e4944
                                            • Instruction ID: 5f1bf679f3c79b71b9578435cbfc27a5d8f6374eacb1aa8ca9e2611375506ca8
                                            • Opcode Fuzzy Hash: 45789f6dd39c18b8abe4ad4726f3c1d9abe1c64d6c9238dfd5403cb81f8e4944
                                            • Instruction Fuzzy Hash: DE61EF72710F8096DA04CB12E94475FA7A5F786BC8F458436EF492BB96DB3CC581CB08
                                            Function 00409370 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • VirtualQuery failed for %d bytes at address %p, xrefs: 00409517
                                            • Address %p has no image-section, xrefs: 0040952D
                                            • VirtualProtect failed with code 0x%x, xrefs: 004094D6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: Virtual$ErrorLastProtectQuery
                                            • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                            • API String ID: 637304234-2123141913
                                            • Opcode ID: 3f14427b23f8e90e3e2ea69bc41f53ba9030e2cc55926c8a25e8bb2844c5cb9f
                                            • Instruction ID: 21e49a613193aac54918af74165f8c44c358ccebf9ace4db484552f77ef38229
                                            • Opcode Fuzzy Hash: 3f14427b23f8e90e3e2ea69bc41f53ba9030e2cc55926c8a25e8bb2844c5cb9f
                                            • Instruction Fuzzy Hash: 645102B3701A4086DB208F26EC4076E77A4E799BA4F448137DF09677A6DB3CC946C708
                                            Function 0256FE10 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0256FE36
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0256FE42
                                            • __crtIsPackagedApp.LIBCMT ref: 0256FE53
                                            • _dosmaperr.LIBCMT ref: 0256FE9D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 2917016420-0
                                            • Opcode ID: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
                                            • Instruction ID: cac283e2190cf535b0e13b2bff4bd682e465f528b5ba60f61592f708905e0039
                                            • Opcode Fuzzy Hash: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
                                            • Instruction Fuzzy Hash: 7F31A930A14A0A8FDB44AFBDE8493797AD1FF88315F14455DE44FC3291DB78C8418B46
                                            Function 0040B8D0 Relevance: 10.6, APIs: 7, Instructions: 104sleepthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CurrentThreadValue$CloseHandleSleep_endthreadex_setjmp
                                            • String ID:
                                            • API String ID: 398069486-0
                                            • Opcode ID: b8cc304627b65d474944d2ecb7afef2e8706cde166060d858e39debea6284711
                                            • Instruction ID: 6cd1cd227020b8c6ba33d9f8f6700b0e04a8e10d5f9d89813a7f35f434339870
                                            • Opcode Fuzzy Hash: b8cc304627b65d474944d2ecb7afef2e8706cde166060d858e39debea6284711
                                            • Instruction Fuzzy Hash: D6411AA5200B0485DB14EF26D8513692760EB88BA8F09523B9F1E677A6DF3CC485C789
                                            Function 0257A73C Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
                                            • String ID:
                                            • API String ID: 4120058822-0
                                            • Opcode ID: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
                                            • Instruction ID: 6163a831ad5bc7e520757b0c5947af497149ca0414c0c6c8e7acec4ceb57488b
                                            • Opcode Fuzzy Hash: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
                                            • Instruction Fuzzy Hash: 74215730698B024FD314AFA8F8A032D7AA1FF81320F55051CE51BCB291D7789C418B9E
                                            Function 0231F210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0231F236
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0231F242
                                            • __crtIsPackagedApp.LIBCMT ref: 0231F253
                                            • _dosmaperr.LIBCMT ref: 0231F29D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 2917016420-0
                                            • Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                                            • Instruction ID: 9ff70db9f6f923c5caea99feef8f44b6aceb8e0c419ca18cc2a0a4efbd1db6e7
                                            • Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                                            • Instruction Fuzzy Hash: 7621A779310F5086EB28AF66D80432977E6FBC9B94F084624CE8947B95DF3CC2468740
                                            Function 0232EFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0232F004
                                              • Part of subcall function 02320A00: _getptd.LIBCMT ref: 02320A16
                                              • Part of subcall function 02320A00: __updatetlocinfo.LIBCMT ref: 02320A4B
                                              • Part of subcall function 02320A00: __updatetmbcinfo.LIBCMT ref: 02320A72
                                            • _errno.LIBCMT ref: 0232F01F
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0232F02A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3191669884-0
                                            • Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                                            • Instruction ID: a62c7fa7eeb4e9354c40582a7a781908c93d0f9f403483e3efd2beea7e61d8fb
                                            • Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                                            • Instruction Fuzzy Hash: E3218D722047A88AD7209F12D58466EB7B5F798FE4F58C221DF9807F45CB74D44ACB00
                                            Function 0040E160 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CurrentThreadfprintf
                                            • String ID: C%p %d %s$C%p %d V=%0X w=%ld %s
                                            • API String ID: 1384477639-884133013
                                            • Opcode ID: e082a836f88d518aa284b2d747ff834d5c072635b4d2dee90c757491ec476541
                                            • Instruction ID: ad4e87abc89a0f6b9defbed01aa5578e25f956962538df905230bc72d6f1c168
                                            • Opcode Fuzzy Hash: e082a836f88d518aa284b2d747ff834d5c072635b4d2dee90c757491ec476541
                                            • Instruction Fuzzy Hash: 0C017CB7200B449AEA119F26FC407593764B788F99F488036DF4C57B50EB3CC896C709
                                            Function 0040D5E0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • (, xrefs: 0040D633
                                            • ../../src/mingw-w64/mingw-w64-libraries/winpthreads/src/rwlock.c, xrefs: 0040D63B
                                            • (((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0), xrefs: 0040D642
                                            • Assertion failed: (%s), file %s, line %d, xrefs: 0040D64C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: exitfprintf
                                            • String ID: ($(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)$../../src/mingw-w64/mingw-w64-libraries/winpthreads/src/rwlock.c$Assertion failed: (%s), file %s, line %d
                                            • API String ID: 4243785698-3651547468
                                            • Opcode ID: ad7bdae21e051ce0ddf3eb1e8c6626a4c85702f95f6e125b711a76afc4c062d7
                                            • Instruction ID: 59e762d400623d30da18e204958f1e099f4dbabddd29c9e07c5cb25b2dad55e8
                                            • Opcode Fuzzy Hash: ad7bdae21e051ce0ddf3eb1e8c6626a4c85702f95f6e125b711a76afc4c062d7
                                            • Instruction Fuzzy Hash: 180162B2601F0497D700DF69EC543AD7760F744B55F84852ADA0D673A2DB3CC849C749
                                            Function 02570B10 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                                            • String ID:
                                            • API String ID: 2328795619-0
                                            • Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                                            • Instruction ID: 578638ae9232452874beeae991092530b333e58b9258df30cc2807c26c7f84fd
                                            • Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                                            • Instruction Fuzzy Hash: 985160303ACF094B972C5A2DB859139B7C2F7D5724B15032ED45AC32D5FF60E85686CA
                                            Function 0231FF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                                            • String ID:
                                            • API String ID: 2328795619-0
                                            • Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                                            • Instruction ID: 1ce59b59f0b62cf6088145e3df904a37aa900f5ece89b7c3ff5e4fd32c1506a7
                                            • Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                                            • Instruction Fuzzy Hash: F751567170477086EB2C8A26990066AB691F7A5FF8F088725AE7D43FD4CB78D09EC740
                                            Function 0040A880 Relevance: 9.1, APIs: 6, Instructions: 110COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: Time$FileSystem
                                            • String ID:
                                            • API String ID: 2086374402-0
                                            • Opcode ID: 7db33873ddfc0322ad360cc408ca0fdcc3b2a2f929bddcb0dd8f1c1e46bba93a
                                            • Instruction ID: e975f90a3d8c1b139d0e9ed269a964ad108ac021387f4ac7ef1c9ddbb81725fe
                                            • Opcode Fuzzy Hash: 7db33873ddfc0322ad360cc408ca0fdcc3b2a2f929bddcb0dd8f1c1e46bba93a
                                            • Instruction Fuzzy Hash: 8531A7737013018BEB259F71990072B6261AB44B99F188536CE159B7C4EE7CCC92D34B
                                            Function 0257FBD0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 02571600: _getptd.LIBCMT ref: 02571616
                                              • Part of subcall function 02571600: __updatetlocinfo.LIBCMT ref: 0257164B
                                              • Part of subcall function 02571600: __updatetmbcinfo.LIBCMT ref: 02571672
                                            • _errno.LIBCMT ref: 0257FC1F
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0257FC2A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 2808835054-0
                                            • Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                                            • Instruction ID: 7db4ba59695578f730de30b5f799ed549442ebca6e9bbe372797726c7554def6
                                            • Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                                            • Instruction Fuzzy Hash: D331CF7026CB098FC754EF18E08462A77D1FB88320F5106ADE849C7292DB70D840CB8A
                                            Function 02570620 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                                            • String ID:
                                            • API String ID: 1547050394-0
                                            • Opcode ID: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
                                            • Instruction ID: e8fa3df2109e3d3566f3a3cce30c6be03a0bd447a53a5ed1ac07ea3e5150fb24
                                            • Opcode Fuzzy Hash: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
                                            • Instruction Fuzzy Hash: CB218170698B4A8FE795EB28A40533E77D2FBC9310F45096A9849C7290EF74CC418B9A
                                            Function 0040A750 Relevance: 9.1, APIs: 6, Instructions: 92synchronizationthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 0040A784
                                            • WaitForSingleObject.KERNEL32(?,?,00000000,00000008,0040BC70,?,?,?,?,?,?,?,0040A3F6,?), ref: 0040A7DD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CurrentObjectSingleThreadWait
                                            • String ID:
                                            • API String ID: 1728940165-0
                                            • Opcode ID: 0f19003b143cb30aba972b1eb1fd132c39367f1a6850e4a43b036aa409df44fa
                                            • Instruction ID: 245e7f55a96ff446a680cc276a055d008e005892f259b8125ff2eccecd31d106
                                            • Opcode Fuzzy Hash: 0f19003b143cb30aba972b1eb1fd132c39367f1a6850e4a43b036aa409df44fa
                                            • Instruction Fuzzy Hash: 8F318E727013018BEB159F35D800B5B22A1E784B99F18C536CE0A9B3C4EA3DCCA2C796
                                            Function 0231FA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                                            • String ID:
                                            • API String ID: 1547050394-0
                                            • Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                                            • Instruction ID: 50eb323b346f3e2688d2135db40f6ea6d3af4ed7d34521b811879636c35a6823
                                            • Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                                            • Instruction Fuzzy Hash: 6511C87131479695DB25AF62AD0032EA7A6BB89BC4F884421DE8D97F59EF3CC1518F00
                                            Function 02329B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
                                            • String ID:
                                            • API String ID: 2102446242-0
                                            • Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                                            • Instruction ID: 6a5b980f406b70d9d70334be14f3ba7b60b884ef6571df1c442bfee6e5911ffc
                                            • Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                                            • Instruction Fuzzy Hash: 12115B317007B085DB156FA9D9D433D7655EB80B60F694128DB5A0B391CB7CC849C754
                                            Function 0040C240 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CloseHandleValue$_endthreadex
                                            • String ID:
                                            • API String ID: 3955988603-0
                                            • Opcode ID: 4fcd89013ee7740ead3aaae1b05b410178f810bdfb6f070ef027c58e878e45b5
                                            • Instruction ID: 59fe88858531d89057f0038b42ecbfead7148b9934fb3b134ebb9677fc831ea9
                                            • Opcode Fuzzy Hash: 4fcd89013ee7740ead3aaae1b05b410178f810bdfb6f070ef027c58e878e45b5
                                            • Instruction Fuzzy Hash: 20217C72604A44C2EB25DF61D49436A3BA0F785B08F09427ADE0A277D4EF3D8885C38D
                                            Function 0231E3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0231E40F
                                              • Part of subcall function 0231E684: _FF_MSGBANNER.LIBCMT ref: 0231E6B4
                                              • Part of subcall function 0231E684: _NMSG_WRITE.LIBCMT ref: 0231E6BE
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E6F2
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E6FD
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E708
                                            • malloc.LIBCMT ref: 0231E41D
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E718
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E71D
                                            • malloc.LIBCMT ref: 0231E43F
                                            • _snprintf.LIBCMT ref: 0231E45A
                                              • Part of subcall function 0231EA3C: _errno.LIBCMT ref: 0231EA73
                                              • Part of subcall function 0231EA3C: _invalid_parameter_noinfo.LIBCMT ref: 0231EA7E
                                            • malloc.LIBCMT ref: 0231E475
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
                                            • String ID: dpoolWait
                                            • API String ID: 2026495703-1875951006
                                            • Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                                            • Instruction ID: 95d2f6934392299b64dd6ecce08c7b353c7768992b598b8ba9b9b8edc98eae82
                                            • Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                                            • Instruction Fuzzy Hash: 8A01DE71700B9041DA18DB12B804B19B69AF79CFE0F46822ADFA947BC4CF38C0418B80
                                            Function 00402720 Relevance: 9.0, APIs: 6, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: _fileno_setmode
                                            • String ID:
                                            • API String ID: 66534057-0
                                            • Opcode ID: a005025fe765626447aaf941bab582738da3393a7fd71a9516fc9694a18dcf3f
                                            • Instruction ID: d395317f33de1d4e6c9ade2b528160413540b4a4ef1efefa68ad39ca44651fe6
                                            • Opcode Fuzzy Hash: a005025fe765626447aaf941bab582738da3393a7fd71a9516fc9694a18dcf3f
                                            • Instruction Fuzzy Hash: 71F06D10B11A1842FF08B3B2BD2837E0646AF997C0F18803B8D4A473D0EC3DC8424749
                                            Function 025631F4 Relevance: 9.0, APIs: 7, Instructions: 264stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: freemallocstrchr$FreeHeap_errnorand
                                            • String ID:
                                            • API String ID: 3504763109-0
                                            • Opcode ID: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
                                            • Instruction ID: f10dc77ff828592163a92a0ab75cd202577d0aa8db3d298ba93e1bba7b32a581
                                            • Opcode Fuzzy Hash: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
                                            • Instruction Fuzzy Hash: 4A71E520628E995BDB6AAB2CE8183FAB7D1FFD9309F0401ADC58AC7151DE34C547CB85
                                            Function 02554170 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 025541BD
                                              • Part of subcall function 0256F284: _FF_MSGBANNER.LIBCMT ref: 0256F2B4
                                              • Part of subcall function 0256F284: _NMSG_WRITE.LIBCMT ref: 0256F2BE
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F2F2
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F2FD
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F308
                                            • malloc.LIBCMT ref: 025541C8
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F318
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F31D
                                            • free.LIBCMT ref: 025542AF
                                            • free.LIBCMT ref: 025542B7
                                            • free.LIBCMT ref: 025542BF
                                            • free.LIBCMT ref: 025542CB
                                            • free.LIBCMT ref: 025542D8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
                                            • Instruction ID: bcc5e5daf0e9d50b6c44a52539da43deb51af2029d83e8e80fa2259e02faa257
                                            • Opcode Fuzzy Hash: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
                                            • Instruction Fuzzy Hash: 1241E534618F2A4F9759EF2DE85567977D1FB89304B50026EDC4BC3606EF60E8828AC9
                                            Function 023125F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: freemallocstrchr$rand
                                            • String ID:
                                            • API String ID: 1305919620-0
                                            • Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                                            • Instruction ID: 1e52a4d47e206694357a578e2917667d0d2d42bebf52cfd837bb4bcd6a56d62b
                                            • Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                                            • Instruction Fuzzy Hash: EF61E662608FD485EA3E9B29A4103EBA7A2EF99B84F085115CF8917B55EF3DC147CB00
                                            Function 02303570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 023035BD
                                              • Part of subcall function 0231E684: _FF_MSGBANNER.LIBCMT ref: 0231E6B4
                                              • Part of subcall function 0231E684: _NMSG_WRITE.LIBCMT ref: 0231E6BE
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E6F2
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E6FD
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E708
                                            • malloc.LIBCMT ref: 023035C8
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E718
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E71D
                                            • free.LIBCMT ref: 023036AF
                                            • free.LIBCMT ref: 023036B7
                                            • free.LIBCMT ref: 023036BF
                                            • free.LIBCMT ref: 023036CB
                                            • free.LIBCMT ref: 023036D8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                                            • Instruction ID: b3db9f103e062e89054fe2f8458b7c8e6071635ff6d12478824fbb2d9298317e
                                            • Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                                            • Instruction Fuzzy Hash: EC413522300B999BEB28EF6699F436E2751F749BC4F8444A4CF5A47B51EF38D022CB00
                                            Function 0231B630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strtok$_getptd_time64malloc
                                            • String ID: eThreadpoolTimer
                                            • API String ID: 1522986614-2707337283
                                            • Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                                            • Instruction ID: 11d65264b352f33e3e1b4e967484d2ed30191382d6502773e28a7df1ab33da41
                                            • Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                                            • Instruction Fuzzy Hash: F021FBB2610BE485DB18DF52F09866D77AAF794FD4B165216DF5A47740CF34C041C780
                                            Function 0040B2D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Error cleaning up spin_keys for thread , xrefs: 0040B30A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CurrentDebugOutputStringThread_ultoaabort
                                            • String ID: Error cleaning up spin_keys for thread
                                            • API String ID: 4191895893-2906507043
                                            • Opcode ID: 00d32fffeff5a360e7874eacd6d00a9cb9be9f0f343a57345a9b6b5a142e938e
                                            • Instruction ID: c4990df24cff04e533fb9e0e4671906f4e97169299b23d42e76d0f2cde5e67a3
                                            • Opcode Fuzzy Hash: 00d32fffeff5a360e7874eacd6d00a9cb9be9f0f343a57345a9b6b5a142e938e
                                            • Instruction Fuzzy Hash: 1311066270474095EB348B24E40432A1A51F346758F684736DE99663E4DB7DC885C30E
                                            Function 0040BAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CurrentThread$printf
                                            • String ID: T%p %d %s$T%p %d V=%0X H=%p %s
                                            • API String ID: 2165381015-2059990036
                                            • Opcode ID: ad1a09b99c0ae016908ff96fce716beeb07053f4782c09f18cf4a96afc51efa6
                                            • Instruction ID: 4580a4190a538d95e900a8df13537ab9dd0dd5cd3249cf1cabc42d15cd79edf2
                                            • Opcode Fuzzy Hash: ad1a09b99c0ae016908ff96fce716beeb07053f4782c09f18cf4a96afc51efa6
                                            • Instruction Fuzzy Hash: 38018073305B089AD6109B27FC4075A6365F788FD5F484036AE4C577A4EB3CD485C748
                                            Function 0040D680 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • RWL%p %d %s, xrefs: 0040D6FC
                                            • RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s, xrefs: 0040D6B3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CurrentThread$printf
                                            • String ID: RWL%p %d %s$RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
                                            • API String ID: 2165381015-1971217749
                                            • Opcode ID: 51ba6a8e622832e596f6f71a37c4c5196533f111eedb683808bd9450df109bc4
                                            • Instruction ID: 700d41e2e67a9c0ea3b30cf733aea1998e6b14b9d2d83968939827aac6c33995
                                            • Opcode Fuzzy Hash: 51ba6a8e622832e596f6f71a37c4c5196533f111eedb683808bd9450df109bc4
                                            • Instruction Fuzzy Hash: 8C01BCB2300A889AE7118F16F84070A7BA4B788FA9F188035EF4C53750EB3DC48ACB04
                                            Function 00407F60 Relevance: 7.9, APIs: 3, Strings: 2, Instructions: 384COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: memcpy$memset
                                            • String ID: [[reraised from:$]]
                                            • API String ID: 438689982-3653159892
                                            • Opcode ID: 1e7e1c4b4bf05be251f585c240d80514a2b3678c1ba4ad613ad3009d5cb25a34
                                            • Instruction ID: e54c28d7e5fc909ad3b34ef5ab3c2c625d817787e01b32617cfb8fae09f00219
                                            • Opcode Fuzzy Hash: 1e7e1c4b4bf05be251f585c240d80514a2b3678c1ba4ad613ad3009d5cb25a34
                                            • Instruction Fuzzy Hash: 70E19F72708B8081CA049B56E54031BAB61F7C5BE4F48852BEED927BE9DFBDC495C708
                                            Function 0230BE74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 023153EC: malloc.LIBCMT ref: 02315408
                                            • malloc.LIBCMT ref: 0230BF3B
                                              • Part of subcall function 0231E684: _FF_MSGBANNER.LIBCMT ref: 0231E6B4
                                              • Part of subcall function 0231E684: _NMSG_WRITE.LIBCMT ref: 0231E6BE
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E6F2
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E6FD
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E708
                                              • Part of subcall function 0231B630: _time64.LIBCMT ref: 0231B654
                                              • Part of subcall function 0231B630: malloc.LIBCMT ref: 0231B69C
                                              • Part of subcall function 0231B630: strtok.LIBCMT ref: 0231B700
                                              • Part of subcall function 0231B630: strtok.LIBCMT ref: 0231B711
                                              • Part of subcall function 023128A0: _time64.LIBCMT ref: 023128AE
                                              • Part of subcall function 0231DEA8: malloc.LIBCMT ref: 0231DEF8
                                              • Part of subcall function 0231DEA8: realloc.LIBCMT ref: 0231DF07
                                            • malloc.LIBCMT ref: 0230C04A
                                            • _snprintf.LIBCMT ref: 0230C0C1
                                            • _snprintf.LIBCMT ref: 0230C0E7
                                            • _snprintf.LIBCMT ref: 0230C10E
                                            • free.LIBCMT ref: 0230C2C6
                                              • Part of subcall function 0231A144: malloc.LIBCMT ref: 0231A178
                                              • Part of subcall function 0231A144: free.LIBCMT ref: 0231A32F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
                                            • String ID:
                                            • API String ID: 1314452303-0
                                            • Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                                            • Instruction ID: bf6db0ab826572db4121ee95fbafa771225c362d9174f072b9618fa937e6ada1
                                            • Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                                            • Instruction Fuzzy Hash: AEA1D22130178142EB2CFBB6A8A476E7797EB85B85F4069268E5A47784DF3CC506CF60
                                            Function 02561694 Relevance: 7.7, APIs: 5, Instructions: 205COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 02565FEC: malloc.LIBCMT ref: 02566008
                                              • Part of subcall function 02570620: _errno.LIBCMT ref: 02570577
                                              • Part of subcall function 02570620: _invalid_parameter_noinfo.LIBCMT ref: 02570582
                                            • fseek.LIBCMT ref: 02561730
                                              • Part of subcall function 02570EA4: _errno.LIBCMT ref: 02570ECC
                                              • Part of subcall function 02570EA4: _invalid_parameter_noinfo.LIBCMT ref: 02570ED7
                                            • _ftelli64.LIBCMT ref: 02561738
                                              • Part of subcall function 02570F18: _errno.LIBCMT ref: 02570F36
                                              • Part of subcall function 02570F18: _invalid_parameter_noinfo.LIBCMT ref: 02570F41
                                            • fseek.LIBCMT ref: 02561748
                                              • Part of subcall function 02570EA4: _fseek_nolock.LIBCMT ref: 02570EF5
                                            • malloc.LIBCMT ref: 02561788
                                              • Part of subcall function 0256F284: _FF_MSGBANNER.LIBCMT ref: 0256F2B4
                                              • Part of subcall function 0256F284: _NMSG_WRITE.LIBCMT ref: 0256F2BE
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F2F2
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F2FD
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F308
                                            • fclose.LIBCMT ref: 02561845
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
                                            • String ID:
                                            • API String ID: 2887643383-0
                                            • Opcode ID: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
                                            • Instruction ID: c869563e3de82e9d389e3acb39099af4a4709fc025e5f8d9be36931813bdd988
                                            • Opcode Fuzzy Hash: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
                                            • Instruction Fuzzy Hash: 1951C671718A184FD749EB2CE49967973D6FBC8310B50426ED44FC3295EE34D9028BC9
                                            Function 0257A348 Relevance: 7.7, APIs: 5, Instructions: 201COMMON
                                            Download Yara Rule
                                            APIs
                                            • _mtinitlocknum.LIBCMT ref: 0257A375
                                              • Part of subcall function 02573E58: _FF_MSGBANNER.LIBCMT ref: 02573E75
                                              • Part of subcall function 02573E58: _NMSG_WRITE.LIBCMT ref: 02573E7F
                                            • _lock.LIBCMT ref: 0257A388
                                            • _lock.LIBCMT ref: 0257A3E3
                                            • _calloc_crt.LIBCMT ref: 0257A49A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _lock$_calloc_crt_mtinitlocknum
                                            • String ID:
                                            • API String ID: 3962633935-0
                                            • Opcode ID: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
                                            • Instruction ID: 6d07eeb0d87cbbbbab5ef1690c9aa2054359285cc8619bda3e3dcf8ee1788a79
                                            • Opcode Fuzzy Hash: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
                                            • Instruction Fuzzy Hash: 6F511870568B098FDB189F18E885279B7E1FB88310F5146ADDC8AC7261E775D842CBCA
                                            Function 025554F0 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0255553A
                                              • Part of subcall function 0256F284: _FF_MSGBANNER.LIBCMT ref: 0256F2B4
                                              • Part of subcall function 0256F284: _NMSG_WRITE.LIBCMT ref: 0256F2BE
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F2F2
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F2FD
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F308
                                            • malloc.LIBCMT ref: 02555545
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F318
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F31D
                                            • free.LIBCMT ref: 0255562C
                                            • free.LIBCMT ref: 02555634
                                            • free.LIBCMT ref: 02555640
                                            • free.LIBCMT ref: 0255564D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
                                            • Instruction ID: c25a6397901e59bae3b04a1ea3c9acdf1b6b01e4c741afe7f4984ccd8cbc01c7
                                            • Opcode Fuzzy Hash: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
                                            • Instruction Fuzzy Hash: E0412830318B5E4B9B29AB6C985523A77D5FBD6254B94422EDC87C3212FE20D8078BC9
                                            Function 0257239C Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _fileno.LIBCMT ref: 025723B9
                                              • Part of subcall function 02575A54: _errno.LIBCMT ref: 02575A5D
                                              • Part of subcall function 02575A54: _invalid_parameter_noinfo.LIBCMT ref: 02575A68
                                            • _errno.LIBCMT ref: 025723C9
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            • _errno.LIBCMT ref: 025723E5
                                            • _isatty.LIBCMT ref: 02572446
                                            • _getbuf.LIBCMT ref: 02572452
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
                                            • String ID:
                                            • API String ID: 304646821-0
                                            • Opcode ID: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
                                            • Instruction ID: 520724ffdb8707e62df77fc043170bdc0540be3b90b299687114ce1ed9c9e8cf
                                            • Opcode Fuzzy Hash: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
                                            • Instruction Fuzzy Hash: 6F41E430164A098FDB58EF28E4917657BE2FF88310F5406A9DC5ACB296D774C881CB85
                                            Function 02569220 Relevance: 7.6, APIs: 6, Instructions: 142COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0256924F
                                              • Part of subcall function 0256F284: _FF_MSGBANNER.LIBCMT ref: 0256F2B4
                                              • Part of subcall function 0256F284: _NMSG_WRITE.LIBCMT ref: 0256F2BE
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F2F2
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F2FD
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F308
                                            • _snprintf.LIBCMT ref: 02569267
                                              • Part of subcall function 0256F63C: _errno.LIBCMT ref: 0256F673
                                              • Part of subcall function 0256F63C: _invalid_parameter_noinfo.LIBCMT ref: 0256F67E
                                            • free.LIBCMT ref: 0256927E
                                              • Part of subcall function 0256F244: RtlFreeHeap.NTDLL ref: 0256F25A
                                              • Part of subcall function 0256F244: _errno.LIBCMT ref: 0256F264
                                            • malloc.LIBCMT ref: 025692CE
                                            • _snprintf.LIBCMT ref: 025692E6
                                            • free.LIBCMT ref: 0256930E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_snprintffreemalloc$FreeHeap_callnewh_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 343393124-0
                                            • Opcode ID: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
                                            • Instruction ID: 906efdcc9f7248277e40c47ecc7d0c99819b74146aa84afa32b8911526502079
                                            • Opcode Fuzzy Hash: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
                                            • Instruction Fuzzy Hash: 5531823071CA4C0F97A8AB6CA8197747BD2F789310754969DD08FC3296DE34DC428BC9
                                            Function 02310A94 Relevance: 7.6, APIs: 5, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 023153EC: malloc.LIBCMT ref: 02315408
                                              • Part of subcall function 0231FA20: _errno.LIBCMT ref: 0231F977
                                              • Part of subcall function 0231FA20: _invalid_parameter_noinfo.LIBCMT ref: 0231F982
                                            • fseek.LIBCMT ref: 02310B30
                                              • Part of subcall function 023202A4: _errno.LIBCMT ref: 023202CC
                                              • Part of subcall function 023202A4: _invalid_parameter_noinfo.LIBCMT ref: 023202D7
                                            • _ftelli64.LIBCMT ref: 02310B38
                                              • Part of subcall function 02320318: _errno.LIBCMT ref: 02320336
                                              • Part of subcall function 02320318: _invalid_parameter_noinfo.LIBCMT ref: 02320341
                                            • fseek.LIBCMT ref: 02310B48
                                              • Part of subcall function 023202A4: _fseek_nolock.LIBCMT ref: 023202F5
                                            • malloc.LIBCMT ref: 02310B88
                                              • Part of subcall function 0231E684: _FF_MSGBANNER.LIBCMT ref: 0231E6B4
                                              • Part of subcall function 0231E684: _NMSG_WRITE.LIBCMT ref: 0231E6BE
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E6F2
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E6FD
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E708
                                              • Part of subcall function 0230C444: malloc.LIBCMT ref: 0230C457
                                            • fclose.LIBCMT ref: 02310C45
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
                                            • String ID:
                                            • API String ID: 1756087678-0
                                            • Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                                            • Instruction ID: 8a768cd871a70eede5f1eb48c8fcd039c445d04518c9424d062344c13dc96288
                                            • Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                                            • Instruction Fuzzy Hash: DB41B32231469082DB28EB12E86476EA756F7C9BD0F808626DE5E5BB94DF3CC605CF00
                                            Function 0231FA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1640621425-0
                                            • Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                                            • Instruction ID: ebb8f19de017ad4b064700313c3fb500bc8f38606de13aec80fba18b94470708
                                            • Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                                            • Instruction Fuzzy Hash: 4231293130075486DE2C9E27655022EB656FB44FE8F18C6248FAA47FE1DB7CD046CB40
                                            Function 023048F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0230493A
                                              • Part of subcall function 0231E684: _FF_MSGBANNER.LIBCMT ref: 0231E6B4
                                              • Part of subcall function 0231E684: _NMSG_WRITE.LIBCMT ref: 0231E6BE
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E6F2
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E6FD
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E708
                                            • malloc.LIBCMT ref: 02304945
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E718
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E71D
                                            • free.LIBCMT ref: 02304A2C
                                            • free.LIBCMT ref: 02304A34
                                            • free.LIBCMT ref: 02304A40
                                            • free.LIBCMT ref: 02304A4D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                                            • Instruction ID: 5a14584ef960df796ed5be9746539bc02528b5af47f3eaa49da6b8f7922aa0ce
                                            • Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                                            • Instruction Fuzzy Hash: 9931012231478586EF25EF2B546472A6B59F794B88F494024CF198BB51EF38C607C724
                                            Function 0255FC64 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0255FC85
                                              • Part of subcall function 0256F284: _FF_MSGBANNER.LIBCMT ref: 0256F2B4
                                              • Part of subcall function 0256F284: _NMSG_WRITE.LIBCMT ref: 0256F2BE
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F2F2
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F2FD
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F308
                                            • free.LIBCMT ref: 0255FCC0
                                            • fwrite.LIBCMT ref: 0255FD01
                                            • fclose.LIBCMT ref: 0255FD09
                                            • free.LIBCMT ref: 0255FD16
                                              • Part of subcall function 0256F244: RtlFreeHeap.NTDLL ref: 0256F25A
                                              • Part of subcall function 0256F244: _errno.LIBCMT ref: 0256F264
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$free$FreeHeap_callnewhfclosefwritemalloc
                                            • String ID:
                                            • API String ID: 415550720-0
                                            • Opcode ID: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
                                            • Instruction ID: ff1cece8497af390af5d6f5058a975376e119ed4c0648b7630c224d458a5cca0
                                            • Opcode Fuzzy Hash: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
                                            • Instruction Fuzzy Hash: C9218430628E194BD784FB6CD46467EB6D2FBD8354F50056EA84AC3284EE38C9058B89
                                            Function 02318620 Relevance: 7.6, APIs: 6, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0231864F
                                              • Part of subcall function 0231E684: _FF_MSGBANNER.LIBCMT ref: 0231E6B4
                                              • Part of subcall function 0231E684: _NMSG_WRITE.LIBCMT ref: 0231E6BE
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E6F2
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E6FD
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E708
                                            • _snprintf.LIBCMT ref: 02318667
                                              • Part of subcall function 0231EA3C: _errno.LIBCMT ref: 0231EA73
                                              • Part of subcall function 0231EA3C: _invalid_parameter_noinfo.LIBCMT ref: 0231EA7E
                                            • free.LIBCMT ref: 0231867E
                                              • Part of subcall function 0231E644: _errno.LIBCMT ref: 0231E664
                                            • malloc.LIBCMT ref: 023186CE
                                            • _snprintf.LIBCMT ref: 023186E6
                                            • free.LIBCMT ref: 0231870E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 761449704-0
                                            • Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                                            • Instruction ID: c08cd466d8fbec9c496c64edb4ab3d5760f26f7e0bd77c7058c5959d98d272d6
                                            • Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                                            • Instruction Fuzzy Hash: BE31911630468145EA2D9B6369187B5AB62B74AFD4F885112CEE907BA5CF3CC3538718
                                            Function 0230F064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0230F085
                                              • Part of subcall function 0231E684: _FF_MSGBANNER.LIBCMT ref: 0231E6B4
                                              • Part of subcall function 0231E684: _NMSG_WRITE.LIBCMT ref: 0231E6BE
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E6F2
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E6FD
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E708
                                            • free.LIBCMT ref: 0230F0C0
                                            • fwrite.LIBCMT ref: 0230F101
                                            • fclose.LIBCMT ref: 0230F109
                                            • free.LIBCMT ref: 0230F116
                                              • Part of subcall function 0231E644: _errno.LIBCMT ref: 0231E664
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$free$_callnewhfclosefwritemalloc
                                            • String ID:
                                            • API String ID: 1696598829-0
                                            • Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                                            • Instruction ID: 11e011c671ea89595b89d9b796da04636fb043265deb742a6df68bd9d1b92125
                                            • Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                                            • Instruction Fuzzy Hash: 8F11865170474041DE38E752E06026EA392EBD5BE4F884225DE6E4BFC9DF3DC5068F80
                                            Function 0040E070 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32 ref: 0040E086
                                            • LeaveCriticalSection.KERNEL32 ref: 0040E0AA
                                            • ReleaseSemaphore.KERNEL32 ref: 0040E0CD
                                            • LeaveCriticalSection.KERNEL32 ref: 0040E0DF
                                            • LeaveCriticalSection.KERNEL32 ref: 0040E0F3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CriticalSection$Leave$EnterReleaseSemaphore
                                            • String ID:
                                            • API String ID: 2813224205-0
                                            • Opcode ID: f09834c925dac6ef85fba9aec9c5b85908a8a907288cff7ced5317beb65f0088
                                            • Instruction ID: fd0f02da3eb3e2c0ed87388dae210e3cfedca7507af44677fc890da320676c38
                                            • Opcode Fuzzy Hash: f09834c925dac6ef85fba9aec9c5b85908a8a907288cff7ced5317beb65f0088
                                            • Instruction Fuzzy Hash: 7D01A26270562883EB254B6BAD1032A6390AB86FB6F448534CF0E42791ED7D88D7830A
                                            Function 0257A5EC Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0257A5FD
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            • __doserrno.LIBCMT ref: 0257A5F5
                                              • Part of subcall function 02571CA8: _getptd_noexit.LIBCMT ref: 02571CAC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno_errno
                                            • String ID:
                                            • API String ID: 2964073243-0
                                            • Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                                            • Instruction ID: e87ea320533ce32177e9faec64d9301a69d8c2206eb0176755783a7ec152e85f
                                            • Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                                            • Instruction Fuzzy Hash: ECF0F6319B4D4A4ED719AB74E95136C36A1FF4132AF958694D409CB2E0E77C44418F2A
                                            Function 023299EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 023299FD
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            • __doserrno.LIBCMT ref: 023299F5
                                              • Part of subcall function 023210A8: _getptd_noexit.LIBCMT ref: 023210AC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno_errno
                                            • String ID:
                                            • API String ID: 2964073243-0
                                            • Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                                            • Instruction ID: 3d2dd2ce7e628dc51b532f798afa4d43e5ac756344c88e8ad246364c4cc261fb
                                            • Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                                            • Instruction Fuzzy Hash: 39F02BB272177444EF152F24C98032C72629B80B36FA18321CA7E073D1C73C440D8B14
                                            Function 00403B80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualFree.KERNEL32(00000000,00000000,?,00403F55,?,00000000,?,0040568B,?,?,?,004015EB), ref: 00403C53
                                            • printf.MSVCRT ref: 00403C64
                                            • exit.MSVCRT(?,00403F55,?,00000000,?,0040568B,?,?,?,004015EB), ref: 00403C6E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: FreeVirtualexitprintf
                                            • String ID: virtualFree failing!
                                            • API String ID: 3269596046-3108117800
                                            • Opcode ID: f818d35066984f19e29fd5f82b8b7ed16069696f122ac403d0d867deb717cce3
                                            • Instruction ID: 3ec212181963c6067ec8a6b9ec1ebec953841177cf42901b3eed91814c51c128
                                            • Opcode Fuzzy Hash: f818d35066984f19e29fd5f82b8b7ed16069696f122ac403d0d867deb717cce3
                                            • Instruction Fuzzy Hash: 1B31E2B7606E4484EB158F66D9047A967A9E381FC9F18C037CE0DAB384EE3CC990C354
                                            Function 00403AA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: FreeVirtual
                                            • String ID: virtualFree failing!
                                            • API String ID: 1263568516-3108117800
                                            • Opcode ID: fbeba2427a4eca0fa3a9a79192208fb93826b9f356f15f56c56aaa979e056636
                                            • Instruction ID: c05decfb4976e675fc689d17eaa451d228e81519f2973baf07724d5d59094471
                                            • Opcode Fuzzy Hash: fbeba2427a4eca0fa3a9a79192208fb93826b9f356f15f56c56aaa979e056636
                                            • Instruction Fuzzy Hash: C611A7E6B02A8480EB08DF56D8447BA7AE5F750FC1F69D036CA0A67385CF3CC5919744
                                            Function 00407A80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: AddressProcexit
                                            • String ID: GetCurrentProcessId$could not import:
                                            • API String ID: 2129014486-1716527884
                                            • Opcode ID: b6c3b212903f479f4ebf49c946283e2f8c138eb0e1fa6f3f1027808c0aeba4d5
                                            • Instruction ID: 67eaf3da92af00e07100af7ea4084406d0af1b9a082fec374c9c0cd0e519a662
                                            • Opcode Fuzzy Hash: b6c3b212903f479f4ebf49c946283e2f8c138eb0e1fa6f3f1027808c0aeba4d5
                                            • Instruction Fuzzy Hash: 50F0F696B1171065EE06A3A3FC097BA53256B4D7D5F4C447A7E0C173C2EC7CC4428318
                                            Function 00403670 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: FreeVirtualexitprintf
                                            • String ID: virtualFree failing!
                                            • API String ID: 3269596046-3108117800
                                            • Opcode ID: 897f71388d7da554c15fb1ad01ed1eff5c6298ef26397a569b87150280dcb896
                                            • Instruction ID: 78a29147f2cb8f2abd1814e0672bbc76dc618bb76bcaf3126ef58004fd57675c
                                            • Opcode Fuzzy Hash: 897f71388d7da554c15fb1ad01ed1eff5c6298ef26397a569b87150280dcb896
                                            • Instruction Fuzzy Hash: 4A01D2A6313E0082EF54EF16E8493A926A5FB48BC1F68D43BCE0D63390DE3DC1948306
                                            Function 0255EC04 Relevance: 6.5, APIs: 5, Instructions: 254COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf
                                            • String ID:
                                            • API String ID: 3512837008-0
                                            • Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                                            • Instruction ID: 34fe6692e58236b4b6682ad6a7b48ec6d7a83c73d4088d9b75cbae944ed0cd91
                                            • Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                                            • Instruction Fuzzy Hash: D4810731618A098FDB55EF18DC95BAAB7E6FB98304F00056ED84BC3190DF38DA45CB86
                                            Function 0230E004 Relevance: 6.4, APIs: 5, Instructions: 165COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf
                                            • String ID:
                                            • API String ID: 3512837008-0
                                            • Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                                            • Instruction ID: ddeae1f349c3c57680995d0a69422e3885f702e686fc95d8bd08e3d8aaf6d1aa
                                            • Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                                            • Instruction Fuzzy Hash: 7F717E72704B8586EB18EF65E8943E977A1F788788F444526DE8D03798DF3CC64ACB50
                                            Function 0040EDC0 Relevance: 6.3, APIs: 5, Instructions: 89COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32 ref: 0040EDD9
                                            • LeaveCriticalSection.KERNEL32 ref: 0040EDEF
                                              • Part of subcall function 0040E070: EnterCriticalSection.KERNEL32 ref: 0040E086
                                              • Part of subcall function 0040E070: LeaveCriticalSection.KERNEL32 ref: 0040E0AA
                                            • LeaveCriticalSection.KERNEL32 ref: 0040EE53
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CriticalSection$Leave$Enter
                                            • String ID:
                                            • API String ID: 2978645861-0
                                            • Opcode ID: 6a11056a20cc35de2018387810d39915439db575be4cd99d8750b0f236ff1038
                                            • Instruction ID: 61bb3ac6c2898bd4d78bd4257e1d5eccff422152c7fd7f5e7ea54e01c5cc92cc
                                            • Opcode Fuzzy Hash: 6a11056a20cc35de2018387810d39915439db575be4cd99d8750b0f236ff1038
                                            • Instruction Fuzzy Hash: 623176B22007448AC7609F37D80075A3361F785F98F08893ADF6AA7795EF78D4A6C754
                                            Function 0040AFD0 Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: f79286804addad490cfe4ab14be8324b714beba69de8c756b54e71d2cf5278df
                                            • Instruction ID: b9fa9daab60f5cdee7daf810507fd102d4a1feffda094eb5bf4fcc26180e4d16
                                            • Opcode Fuzzy Hash: f79286804addad490cfe4ab14be8324b714beba69de8c756b54e71d2cf5278df
                                            • Instruction Fuzzy Hash: D031AEA1216F4491EF25CB15E8507AB2361FB44B84F48043B8B5E67392EF7CC499D38E
                                            Function 0256EFEC Relevance: 6.3, APIs: 5, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0256F00F
                                              • Part of subcall function 0256F284: _FF_MSGBANNER.LIBCMT ref: 0256F2B4
                                              • Part of subcall function 0256F284: _NMSG_WRITE.LIBCMT ref: 0256F2BE
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F2F2
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F2FD
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F308
                                            • malloc.LIBCMT ref: 0256F01D
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F318
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F31D
                                            • malloc.LIBCMT ref: 0256F03F
                                            • _snprintf.LIBCMT ref: 0256F05A
                                              • Part of subcall function 0256F63C: _errno.LIBCMT ref: 0256F673
                                              • Part of subcall function 0256F63C: _invalid_parameter_noinfo.LIBCMT ref: 0256F67E
                                            • malloc.LIBCMT ref: 0256F075
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
                                            • String ID:
                                            • API String ID: 2026495703-0
                                            • Opcode ID: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
                                            • Instruction ID: adb0d6d86d96d2be4976f4a9f346f99b42228845db1091b6c98b4697608b6e2d
                                            • Opcode Fuzzy Hash: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
                                            • Instruction Fuzzy Hash: E6113D70A1CF194FD7A8EB6CB44922576D2FB8C320F10459EE09BC3795EA349D454BC5
                                            Function 0257062C Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 634798775-0
                                            • Opcode ID: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
                                            • Instruction ID: 49839589c4a33311831ef706d3b943637f877e9f763e1983307db9ca75a16c9a
                                            • Opcode Fuzzy Hash: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
                                            • Instruction Fuzzy Hash: 90412D30358F0D4FD72C6E6DB45523676C1FBD8714B14126ED89AC31E2EBB1D8528ACA
                                            Function 0231B3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                            • Instruction ID: f8776b367fb57209128baab3c77ef80234e4cbb3e0fcd364922892bfa78135a4
                                            • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                            • Instruction Fuzzy Hash: 3F51A072702640CAD728DF2AE589378B7A2F768B99F14556ACA054B770CF3CD642CF40
                                            Function 0040CE70 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetHandleInformation.KERNEL32 ref: 0040CEAF
                                              • Part of subcall function 0040B420: TlsGetValue.KERNEL32 ref: 0040B43C
                                            • WaitForSingleObject.KERNEL32 ref: 0040CEF3
                                            • CloseHandle.KERNEL32 ref: 0040CF16
                                            • CloseHandle.KERNEL32 ref: 0040CF21
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: Handle$Close$InformationObjectSingleValueWait
                                            • String ID:
                                            • API String ID: 3336430066-0
                                            • Opcode ID: e901414d97ce13e6ae834dcc09ab6f319b7fd8cc618350ee60b6e226b2f19569
                                            • Instruction ID: 91672e44118f4f9bfc7affad747543ab7aeb8bf378ee3e6b17fc93df5db559ee
                                            • Opcode Fuzzy Hash: e901414d97ce13e6ae834dcc09ab6f319b7fd8cc618350ee60b6e226b2f19569
                                            • Instruction Fuzzy Hash: 82318D62701A05C1EB11EB25E99077A6355EF50B98F4842379E0D673D6EF3CC8C6D34A
                                            Function 025510D0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: clock
                                            • String ID:
                                            • API String ID: 3195780754-0
                                            • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction ID: fcc6bf2992721240a19ae1ea94fcef4c951e1af60786cc04bf7e9d221920e198
                                            • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction Fuzzy Hash: 9511063584CB2D0F4728EDE8A483736BFD0FB85250F1546AEDCCEC3202FA51984286DA
                                            Function 0040CD60 Relevance: 6.1, APIs: 4, Instructions: 68synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetHandleInformation.KERNEL32 ref: 0040CD90
                                              • Part of subcall function 0040B420: TlsGetValue.KERNEL32 ref: 0040B43C
                                            • WaitForSingleObject.KERNEL32 ref: 0040CDE6
                                            • CloseHandle.KERNEL32 ref: 0040CDF7
                                            • CloseHandle.KERNEL32 ref: 0040CE02
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: Handle$Close$InformationObjectSingleValueWait
                                            • String ID:
                                            • API String ID: 3336430066-0
                                            • Opcode ID: c7d31dfb50537f1a8eccbce3a4ae1095dcfbf069d35d1df4c7b76af1d8775615
                                            • Instruction ID: 2ca5244af04e7952dda4fb09adb163b19184c4422eeead410ec1c766d6e3fc79
                                            • Opcode Fuzzy Hash: c7d31dfb50537f1a8eccbce3a4ae1095dcfbf069d35d1df4c7b76af1d8775615
                                            • Instruction Fuzzy Hash: 64214F72301644C5DB14AF35D98036A2765EB44FA8F084337AE2D677D8DF38C881C389
                                            Function 0232E9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0232E9FC
                                              • Part of subcall function 02320A00: _getptd.LIBCMT ref: 02320A16
                                              • Part of subcall function 02320A00: __updatetlocinfo.LIBCMT ref: 02320A4B
                                              • Part of subcall function 02320A00: __updatetmbcinfo.LIBCMT ref: 02320A72
                                            • _errno.LIBCMT ref: 0232EA08
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0232EA13
                                            • strchr.LIBCMT ref: 0232EA29
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                                            • String ID:
                                            • API String ID: 4151157258-0
                                            • Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                                            • Instruction ID: 2164d412faa2e3f2c7583543b18699a784e3dc1d2f9f60404da324d237df20cd
                                            • Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                                            • Instruction Fuzzy Hash: 7F1101736082F441DF209726905223EBBA1F381FE9B4C8122EADB0BE55DB3CD14ACB50
                                            Function 023004D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: clock
                                            • String ID:
                                            • API String ID: 3195780754-0
                                            • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction ID: 473a0bfca54bc70771890c334d12dba813a49b0180cefb23fa6294c0900c7717
                                            • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction Fuzzy Hash: 46114832208758859738EEA6A8D026FF650FB88394F194035EE8403640EB74C486CB20
                                            Function 0040BBC0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0040BBDD
                                            • GetProcessAffinityMask.KERNEL32 ref: 0040BBEC
                                            • GetCurrentProcess.KERNEL32 ref: 0040BC22
                                            • SetProcessAffinityMask.KERNEL32 ref: 0040BC2A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: Process$AffinityCurrentMask
                                            • String ID:
                                            • API String ID: 1231390398-0
                                            • Opcode ID: ad1b5c13f90c738a07939670b23dce36460909951f9cf688e786cc78484e5ba1
                                            • Instruction ID: 02328c6c6b3d0d372d7c0dac7e68b381e294f472b7c9d59da6aa44ab6565df31
                                            • Opcode Fuzzy Hash: ad1b5c13f90c738a07939670b23dce36460909951f9cf688e786cc78484e5ba1
                                            • Instruction Fuzzy Hash: 3DF0AFB3705B0446EB354B2AA8043AB1350FB89B88F8D0539DE8C67390EF3DC9858648
                                            Function 023113B0 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 023113D2
                                              • Part of subcall function 0231E684: _FF_MSGBANNER.LIBCMT ref: 0231E6B4
                                              • Part of subcall function 0231E684: _NMSG_WRITE.LIBCMT ref: 0231E6BE
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E6F2
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E6FD
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E708
                                            • _snprintf.LIBCMT ref: 023113F1
                                              • Part of subcall function 0231EA3C: _errno.LIBCMT ref: 0231EA73
                                              • Part of subcall function 0231EA3C: _invalid_parameter_noinfo.LIBCMT ref: 0231EA7E
                                            • remove.LIBCMT ref: 023113FD
                                            • remove.LIBCMT ref: 02311404
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
                                            • String ID:
                                            • API String ID: 2566950902-0
                                            • Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                                            • Instruction ID: e786008582cf331d90849364cb36a0a38b2f51d4499f88b938e124b6ac03a6e6
                                            • Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                                            • Instruction Fuzzy Hash: B8F05E26604B9089D218AB12B8103AAB365E794FD0F9C4125AF8D17F1ADF3DC5518B44
                                            Function 00407890 Relevance: 6.0, APIs: 4, Instructions: 17COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: signal
                                            • String ID:
                                            • API String ID: 1946981877-0
                                            • Opcode ID: 7eb602c1e84c8f2d4508f5b150893b77c3169bd1914478484148f26fd94796d2
                                            • Instruction ID: 7ffd0c8f86152527011bd58111e4023a9ddab865a73872750b6147fe438d269d
                                            • Opcode Fuzzy Hash: 7eb602c1e84c8f2d4508f5b150893b77c3169bd1914478484148f26fd94796d2
                                            • Instruction Fuzzy Hash: 4CE026E4B06701B1E60CA755DC923A42212B768384FE0542BD70D667D56EBC9567831B
                                            Function 00407AE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: AddressProc
                                            • String ID: @$GetCurrentProcessId
                                            • API String ID: 190572456-642312612
                                            • Opcode ID: cf4e8c461840196a1d5e3a424c946105794e48b74e8b7f7133caa5fd94005634
                                            • Instruction ID: 6816c09b5b8e3e01587aae7f86101661e2e93c0761c323be59c28c1205b1a22f
                                            • Opcode Fuzzy Hash: cf4e8c461840196a1d5e3a424c946105794e48b74e8b7f7133caa5fd94005634
                                            • Instruction Fuzzy Hash: EF218B63F0928095EF25C729EA1076B7A62A7887CCF494233CE0E17785E63DE406C30A
                                            Function 0256F860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0256F8B1
                                              • Part of subcall function 02571D18: _getptd_noexit.LIBCMT ref: 02571D1C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0256F8BC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID: B
                                            • API String ID: 1812809483-1255198513
                                            • Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                                            • Instruction ID: 4d2718d039b7f640d8e6a3bc4cc43b01f0776613f71a220fb73b0baccc81c2d8
                                            • Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                                            • Instruction Fuzzy Hash: 3F118F31628B084FD744EF5CE489769B7D1FB98324F6047AEA41AC72A0DB74C944CB86
                                            Function 00409233 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004092A9
                                            • Unknown error, xrefs: 00409330
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-3474627141
                                            • Opcode ID: 2d0b19d687f5f29cc7643fbd37e0e5f2d4d696f631616a4441eb7d840dc4efaa
                                            • Instruction ID: cae68dea5b8d569cca2d0e83e0920741968e0506a5837e57793b34c44011c690
                                            • Opcode Fuzzy Hash: 2d0b19d687f5f29cc7643fbd37e0e5f2d4d696f631616a4441eb7d840dc4efaa
                                            • Instruction Fuzzy Hash: 4911C262504F84C6D6068F1CE8413EAB370FF9E79AF699316EB8826221DB39C553CB04
                                            Function 0231EC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0231ECB1
                                              • Part of subcall function 02321118: _getptd_noexit.LIBCMT ref: 0232111C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0231ECBC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID: B
                                            • API String ID: 1812809483-1255198513
                                            • Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                                            • Instruction ID: 85d8ee9363f7580267a139feccb929d8130aa981577cb5988c6e3a139dbf7c30
                                            • Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                                            • Instruction Fuzzy Hash: 4C01C4B2610A5086DB149F12D940359B665F798FE4F544320EF9817B99CF3CC244CB00
                                            Function 004027E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: AllocVirtualexit
                                            • String ID: out of memory
                                            • API String ID: 1690354023-49810860
                                            • Opcode ID: 9b30ec3905c0c89b5cfc935bf5c2c0e287248be0effbb3e24d463318583e68f4
                                            • Instruction ID: bcd7b5c2427913cdb9a25d01757c6bc0127a90ceabd5c3f63053bd2737258ddf
                                            • Opcode Fuzzy Hash: 9b30ec3905c0c89b5cfc935bf5c2c0e287248be0effbb3e24d463318583e68f4
                                            • Instruction Fuzzy Hash: 4BF027A0702A0081EF183B22E84A33E1A60BB59B85F44003DCF0E233C1DE3C8240C71E
                                            Function 004092E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Argument singularity (SIGN), xrefs: 004092E0
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004092A9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-2468659920
                                            • Opcode ID: e707bc938d8cb56276a69ee73003da0d9516395540f78725769a23699e01524d
                                            • Instruction ID: 945eab0354003da6d15c318be8cb8bfb8d9bc9826b62463795d0ef5024144848
                                            • Opcode Fuzzy Hash: e707bc938d8cb56276a69ee73003da0d9516395540f78725769a23699e01524d
                                            • Instruction Fuzzy Hash: FAF09653404F4486C201CF1CA8403ABB370FF4D789F195316EF893A565DB29C6438704
                                            Function 004092F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004092A9
                                            • Overflow range error (OVERFLOW), xrefs: 004092F0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-4064033741
                                            • Opcode ID: 63982a0cdb84859ed763b5c711bde44b355f234fde89ca4447e5f37daf66b5be
                                            • Instruction ID: 599cd6dfe6446d7fb291f0328e5a12d9de9925ea8f72b494281c938f8dfdd2d4
                                            • Opcode Fuzzy Hash: 63982a0cdb84859ed763b5c711bde44b355f234fde89ca4447e5f37daf66b5be
                                            • Instruction Fuzzy Hash: 07F09653404F4886C201CF1CA8403ABB370FF4D789F195316EF8936565DB28C643C704
                                            Function 00409300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004092A9
                                            • The result is too small to be represented (UNDERFLOW), xrefs: 00409300
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-2187435201
                                            • Opcode ID: 2440f995e710b0a9293939027ba80f1e42b1855cb9b66d2cb06fd16afb0e1e2d
                                            • Instruction ID: 10411b5f3a914164e62eaac81bb6ec492088dca942ee3a17a62361c2ae89ebb3
                                            • Opcode Fuzzy Hash: 2440f995e710b0a9293939027ba80f1e42b1855cb9b66d2cb06fd16afb0e1e2d
                                            • Instruction Fuzzy Hash: E4F09053804F8886C202CF1CA8403ABB370FF8E789F69531AEF893A565DB28C643C704
                                            Function 00409310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Total loss of significance (TLOSS), xrefs: 00409310
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004092A9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-4273532761
                                            • Opcode ID: 5a8dd1d23a4a9bcf5a86f606299c1fab861597c7fa94b4d0570c2d43325b0f0a
                                            • Instruction ID: 097057f6ad5878e72e4ee4ac181b16957aa34abbcbda9fdca5e43a0e22e2c7a5
                                            • Opcode Fuzzy Hash: 5a8dd1d23a4a9bcf5a86f606299c1fab861597c7fa94b4d0570c2d43325b0f0a
                                            • Instruction Fuzzy Hash: DBF09653404F4486C201CF1CA8403ABB370FF4D789F195316EF8936525DB28C643C704
                                            Function 00409320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004092A9
                                            • Partial loss of significance (PLOSS), xrefs: 00409320
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-4283191376
                                            • Opcode ID: 24f4091a73ebc1d9a38f5fe4bfb48fc015a6aec1e1d4ab082d4ce2a16c115147
                                            • Instruction ID: d595b76cc4570e4ec6a1876ee9f9bbc4f7f40900f5a3181d2aa152d52b128fbe
                                            • Opcode Fuzzy Hash: 24f4091a73ebc1d9a38f5fe4bfb48fc015a6aec1e1d4ab082d4ce2a16c115147
                                            • Instruction Fuzzy Hash: A0F09653404F4486C201CF1CA8403ABB370FF5D789F195316EF8936565DB28C643C704
                                            Function 00409271 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Argument domain error (DOMAIN), xrefs: 00409271
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004092A9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-2713391170
                                            • Opcode ID: b470e2ec745e5dc0a1793ae33c37ab8c5311d9ccd633434ea94186f0bf15b3fd
                                            • Instruction ID: 073ce4a4cbda516259acb7becc95f376b22afaa9eb73b48beb55df6b68f8036a
                                            • Opcode Fuzzy Hash: b470e2ec745e5dc0a1793ae33c37ab8c5311d9ccd633434ea94186f0bf15b3fd
                                            • Instruction Fuzzy Hash: 5CF0B463804F8886C202CF1CA8403ABB370FF4E789F195316EF893A524DB28C643C704
                                            Function 023010C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • calloc.LIBCMT ref: 0230116A
                                              • Part of subcall function 0232E208: _calloc_impl.LIBCMT ref: 0232E218
                                              • Part of subcall function 0232E208: _errno.LIBCMT ref: 0232E22B
                                              • Part of subcall function 0232E208: _errno.LIBCMT ref: 0232E235
                                            • free.LIBCMT ref: 023012F3
                                            • free.LIBCMT ref: 023012FD
                                            • free.LIBCMT ref: 0230130F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_calloc_implcalloc
                                            • String ID:
                                            • API String ID: 4000150058-0
                                            • Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                                            • Instruction ID: 309e6ca9590fb27c41a1348dcdfc67356fb286d6ce8849e66bda58708da93684
                                            • Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                                            • Instruction Fuzzy Hash: 7CC11A32618B848AD764CF65E89479E77B4F788B88F10412AEBCD87B58DF38C555CB00
                                            Function 0256AD44 Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0256AD78
                                              • Part of subcall function 0256F284: _FF_MSGBANNER.LIBCMT ref: 0256F2B4
                                              • Part of subcall function 0256F284: _NMSG_WRITE.LIBCMT ref: 0256F2BE
                                              • Part of subcall function 0256F284: _callnewh.LIBCMT ref: 0256F2F2
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F2FD
                                              • Part of subcall function 0256F284: _errno.LIBCMT ref: 0256F308
                                            • free.LIBCMT ref: 0256AEBF
                                            • free.LIBCMT ref: 0256AF23
                                            • free.LIBCMT ref: 0256AF2F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
                                            • Instruction ID: d311af8b23e9183e1d721da83684e0dfff79b1d4bf379932d06b827430abe4a0
                                            • Opcode Fuzzy Hash: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
                                            • Instruction Fuzzy Hash: 4951C635718A0A4FDB59EB28D89867DB3E2FBC8300F100A2DD44BC3155EF74D9428B8A
                                            Function 02554300 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498758475.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2550000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc
                                            • String ID:
                                            • API String ID: 2803490479-0
                                            • Opcode ID: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
                                            • Instruction ID: bb8b3a6d4fb2e46a4dc3b34d8fcea99b4ea0a6d02b8ce77f334930865dee525e
                                            • Opcode Fuzzy Hash: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
                                            • Instruction Fuzzy Hash: F941D37061CA558BCB5CDF2CE89427A77E1FBC8310700456EDC9BC3256EF30E8928A89
                                            Function 0231A144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0231A178
                                              • Part of subcall function 0231E684: _FF_MSGBANNER.LIBCMT ref: 0231E6B4
                                              • Part of subcall function 0231E684: _NMSG_WRITE.LIBCMT ref: 0231E6BE
                                              • Part of subcall function 0231E684: _callnewh.LIBCMT ref: 0231E6F2
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E6FD
                                              • Part of subcall function 0231E684: _errno.LIBCMT ref: 0231E708
                                            • free.LIBCMT ref: 0231A2BF
                                            • free.LIBCMT ref: 0231A323
                                            • free.LIBCMT ref: 0231A32F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                                            • Instruction ID: a264f3b4adafdbb2113bb763085ae8574918c564350001a45025510047b18867
                                            • Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                                            • Instruction Fuzzy Hash: 9351C03230574586DE2CFB2AE45036E63A2FB85BC1F984926CE1A5BB54EF7ED501CB10
                                            Function 02303700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498713924.0000000002300000.00000020.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2300000_svchostinter.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc
                                            • String ID:
                                            • API String ID: 2803490479-0
                                            • Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                                            • Instruction ID: 79ba584b6f65a53a3280c886bb8c6a2886de2d592a7ca2a13e0e3084e408e573
                                            • Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                                            • Instruction Fuzzy Hash: 0941B37270078187CB68DF26E4A066E77A5F784FC8F4485A5DE2A47B44EF38D809CB14
                                            Function 0040EB20 Relevance: 5.1, APIs: 4, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32 ref: 0040EB67
                                            • LeaveCriticalSection.KERNEL32 ref: 0040EB8E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID:
                                            • API String ID: 3168844106-0
                                            • Opcode ID: 4a4c7fba1a6e6ae530c452ec11eda39110b68435af26e3958d9cdc29cbdbbb18
                                            • Instruction ID: ffc107a79c8ca23e6cb2ab8f4a33688f2962519e9cda97039da4d76dda66b925
                                            • Opcode Fuzzy Hash: 4a4c7fba1a6e6ae530c452ec11eda39110b68435af26e3958d9cdc29cbdbbb18
                                            • Instruction Fuzzy Hash: DA31717370460086E750DF3AE40035A73A0E740BA8F184A36DF265B3C8EB79D896CB59
                                            Function 0040E9F0 Relevance: 5.1, APIs: 4, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32 ref: 0040EA37
                                            • LeaveCriticalSection.KERNEL32 ref: 0040EA5E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID:
                                            • API String ID: 3168844106-0
                                            • Opcode ID: 15d575399897864f71b927fedc9677e28d381f2498bfae7a6f74509db4b5cc22
                                            • Instruction ID: 671f9346988143cf189ff9c19a3e50ba0894d4c724fc7568212cb4dad4618ca6
                                            • Opcode Fuzzy Hash: 15d575399897864f71b927fedc9677e28d381f2498bfae7a6f74509db4b5cc22
                                            • Instruction Fuzzy Hash: 8A219573704600CBDB54CF3AD44039A33A0F788B68F088A36DE1697788EB79C996CB55
                                            Function 0040E7C0 Relevance: 5.0, APIs: 4, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,?,004015EB,?,?,?,0040EC9B), ref: 0040E7F0
                                            • LeaveCriticalSection.KERNEL32(?,?,0040EC9B,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E806
                                            • EnterCriticalSection.KERNEL32(?,?,0040EC9B,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E835
                                            • LeaveCriticalSection.KERNEL32(?,?,0040EC9B,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E83F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID:
                                            • API String ID: 3168844106-0
                                            • Opcode ID: c01eae508601ac2bced1713845ebc6d8aab6a0451395c797fa42af9f7b587646
                                            • Instruction ID: c4630b665ad4d136283a3c0854155f125ef7188aff18a47595cba90a7203099d
                                            • Opcode Fuzzy Hash: c01eae508601ac2bced1713845ebc6d8aab6a0451395c797fa42af9f7b587646
                                            • Instruction Fuzzy Hash: 4F01D1337045109AD726EB33AC00B2A6750BBC9FE8F188422EE0913750DE3CC553D705
                                            Function 00409D70 Relevance: 5.0, APIs: 4, Instructions: 42COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2498301705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2498268109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498331443.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498363224.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498422468.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498445094.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498468101.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498493219.0000000000463000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2498519257.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_svchostinter.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeavefree
                                            • String ID:
                                            • API String ID: 4020351045-0
                                            • Opcode ID: 78a3235d163a2de0c0b9d5cf9a837263df8389fed1f3972b4169db4cab243b6f
                                            • Instruction ID: 30c992c40092553c7fac1774a41a8907275ea653607729d19a6be7d8ee101634
                                            • Opcode Fuzzy Hash: 78a3235d163a2de0c0b9d5cf9a837263df8389fed1f3972b4169db4cab243b6f
                                            • Instruction Fuzzy Hash: A9011AB1351A0583EB58DB55EC8036A23A1FB94B41F544436CA0D973A2EB7CDC95D34A