Edit tour

Windows Analysis Report
360safe.exe

Overview

General Information

Sample name:	360safe.exe
Analysis ID:	1565272
MD5:	da7d87948abd48d5ba7f0449a12baed1
SHA1:	ce1a7523a2333d3bfedeb2ff596cd950e2d73c6d
SHA256:	0452656d33fcd78f19ad3fbb44594fa6b64852a2882353266377cfe3e65ad02f
Tags:	exeSliverFoxWinOsuser-kafan_shengui
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

AI detected suspicious sample

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain checking for user administrative privileges

Modifies the context of a thread in another process (thread injection)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to create new users

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Tries to disable installed Antivirus / HIPS / PFW

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

360safe.exe (PID: 6536 cmdline: "C:\Users\user\Desktop\360safe.exe" MD5: DA7D87948ABD48D5BA7F0449A12BAED1)

svchost.exe (PID: 932 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 3752 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dllhost.exe (PID: 6392 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

HoopCity.exe (PID: 4036 cmdline: "C:\Program Files\Windows Mail\HoopCity.exe" MD5: EF8BDE64E1943C51E2DE2E5CB0182DEB)

svchost.exe (PID: 2352 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dllhost.exe (PID: 1196 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

cleanup

Sigma Signatures

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\360safe.exe", ParentImage: C:\Users\user\Desktop\360safe.exe, ParentProcessId: 6536, ParentProcessName: 360safe.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 932, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\360safe.exe", ParentImage: C:\Users\user\Desktop\360safe.exe, ParentProcessId: 6536, ParentProcessName: 360safe.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 932, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\HoopCity.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\HoopCityBase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\mimidump.inf	Jump to behavior

Source:	Binary string: C:\buildslave\unity\build\artifacts\WindowsPlayer\Win64_VS2019_nondev_i_r\WindowsPlayer_player_Master_il2cpp_x64.pdb source: 360safe.exe, 00000000.00000002.1271635037.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.0000000180013000.00000002.00000001.00020000.00000000.sdmp, HoopCity.exe, HoopCity.exe, 0000000A.00000002.1279364875.000000014000C000.00000002.00000001.01000000.00000008.sdmp, HoopCity.exe.3.dr
Source:	Binary string: C:\Users\Administrator\Desktop\QtWidgetsApplication1\x64\Release\QtWidgetsApplication1.pdb source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\QtWidgetsApplication1\x64\Release\QtWidgetsApplication1.pdb$ source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: QtWidgetsApplication1.pdb source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5068A0 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	3_2_000002287B5068A0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC268A0 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	3_2_000002287BC268A0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800268A0 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	6_2_00000001800268A0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00000001800268A0 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	10_2_00000001800268A0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_00000001800268A0 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	11_2_00000001800268A0

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FC9B0 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287B4FC9B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FDF30 malloc,memset,FindFirstFileW,free,	3_2_000002287B4FDF30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FCE50 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287B4FCE50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FE370 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	3_2_000002287B4FE370
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1DF30 malloc,memset,FindFirstFileW,free,	3_2_000002287BC1DF30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1CE50 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287BC1CE50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1E370 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	3_2_000002287BC1E370
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1C9B0 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287BC1C9B0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001E370 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	6_2_000000018001E370
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001C9B0 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_000000018001C9B0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001CE50 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_000000018001CE50
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001DF30 malloc,memset,FindFirstFileW,free,	6_2_000000018001DF30
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00007FFB1C2E6418 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,abort,abort,abort,	10_2_00007FFB1C2E6418
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018001E370 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	10_2_000000018001E370
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018001C9B0 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	10_2_000000018001C9B0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018001CE50 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	10_2_000000018001CE50
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018001DF30 malloc,memset,FindFirstFileW,free,	10_2_000000018001DF30
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018001E370 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	11_2_000000018001E370
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018001C9B0 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_000000018001C9B0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018001CE50 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_000000018001CE50
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018001DF30 malloc,memset,FindFirstFileW,free,	11_2_000000018001DF30

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B509B00 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,

3_2_000002287B509B00

Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188

Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.197.113.45
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B512CE0 VirtualAlloc,CreateEventW,WSARecv,WSAGetLastError,WaitForMultipleObjects,WSAGetOverlappedResult,WSAGetLastError,CloseHandle,VirtualFree,

3_2_000002287B512CE0

Source: global traffic

DNS traffic detected: DNS query: www.baidu.com

Source: 360safe.exe	String found in binary or memory: http://.css
Source: 360safe.exe	String found in binary or memory: http://.jpg
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: HoopCity.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 360safe.exe, 00000000.00000000.1247174904.0000000141933000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dl.360safe.com/offlinepackv4.exe
Source: 360safe.exe	String found in binary or memory: http://html4/loose.dtd
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 360safe.exe, 00000000.00000000.1247174904.0000000141933000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s.360.cn/safe/xxzx.html?stype=msgcenter&type=
Source: 360safe.exe, 00000000.00000000.1247174904.0000000141933000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.360.cn/weishi/cht/index.html#http://dl.360safe.com/setupbeta.exe
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004F4E000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B3FE000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.com
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://policies.google.com/
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/96817
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: 360safe.exe, 00000000.00000000.1247174904.0000000141933000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.soft.360.cn/jump?id=41X
Source: 360safe.exe, 00000000.00000000.1247174904.0000000141933000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://update.360safe.com/safe/checkupdate.ini2http://update.360safe.com/safe/checkupdate_cht.ini&
Source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B4F9B50 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,

3_2_000002287B4F9B50

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F9B50 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	3_2_000002287B4F9B50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F9930 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_000002287B4F9930
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B506290 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	3_2_000002287B506290
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50F240 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_000002287B50F240
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC19B50 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	3_2_000002287BC19B50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC26290 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	3_2_000002287BC26290
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2F240 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_000002287BC2F240
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC19930 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_000002287BC19930
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018002F240 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_000000018002F240
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180026290 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	6_2_0000000180026290
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180019930 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_0000000180019930
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180019B50 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	6_2_0000000180019B50
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018002F240 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	10_2_000000018002F240
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180026290 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	10_2_0000000180026290
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180019930 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	10_2_0000000180019930
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180019B50 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	10_2_0000000180019B50
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018002F240 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	11_2_000000018002F240
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180026290 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	11_2_0000000180026290
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180019930 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	11_2_0000000180019930
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180019B50 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	11_2_0000000180019B50

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B4FADC0 DefWindowProcW,SendMessageW,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,lstrlenW,lstrlenW,GlobalUnlock,CloseClipboard,VirtualFree,VirtualFree,CloseClipboard,SendMessageW,PostQuitMessage,

3_2_000002287B4FADC0

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B4FA570 GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

3_2_000002287B4FA570

Source: 360safe.exe, 00000000.00000002.1269853976.00000000024AD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_2aef89ae-b

Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180005824 realloc,NtQuerySystemInformation,	0_2_0000000180005824
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_00000001800080F2 VirtualAllocEx,WriteProcessMemory,memset,RtlCopyMemory,NtAlpcConnectPort,	0_2_00000001800080F2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F1C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	3_2_000002287B4F1C70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F1AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	3_2_000002287B4F1AE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F2990 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	3_2_000002287B4F2990
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC11C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	3_2_000002287BC11C70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC11AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	3_2_000002287BC11AE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC12990 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	3_2_000002287BC12990
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	6_2_0000000180011AE0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	6_2_0000000180011C70
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180012990 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	6_2_0000000180012990
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018001F870 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,NtCreateThreadEx,CreateRemoteThread,	10_2_000000018001F870
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180012990 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	10_2_0000000180012990
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	10_2_0000000180011AE0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	10_2_0000000180011C70
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180012990 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	11_2_0000000180012990
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	11_2_0000000180011AE0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	11_2_0000000180011C70

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B500700: CreateFileW,memset,lstrlenA,DeviceIoControl,CloseHandle,

3_2_000002287B500700

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B4F6110 GetCurrentProcessId,TerminateThread,TerminateProcess,lstrcmpiW,Sleep,ExitThread,memset,lstrcatW,lstrcatW,memset,GetSystemDirectoryW,GetLastError,lstrcatW,lstrcatW,lstrcatW,OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SysAllocString,Sleep,GetCurrentProcess,TerminateProcess,

3_2_000002287B4F6110

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B5000A0 WTSQueryUserToken,GetLastError,DuplicateTokenEx,ConvertStringSidToSidW,GetLengthSid,SetTokenInformation,CreateEnvironmentBlock,CreateProcessAsUserW,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,CloseHandle,

3_2_000002287B5000A0

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Jump to behavior

Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_00000001800054D5	0_2_00000001800054D5
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_00000001800080F2	0_2_00000001800080F2
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_00000001800015B0	0_2_00000001800015B0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180009BC0	0_2_0000000180009BC0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180001010	0_2_0000000180001010
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180003833	0_2_0000000180003833
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000284D	0_2_000000018000284D
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180003464	0_2_0000000180003464
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000947B	0_2_000000018000947B
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180003880	0_2_0000000180003880
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180002C8A	0_2_0000000180002C8A
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000F890	0_2_000000018000F890
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180004CB0	0_2_0000000180004CB0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_00000001800044C1	0_2_00000001800044C1
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000ECE0	0_2_000000018000ECE0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180003CF2	0_2_0000000180003CF2
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000290C	0_2_000000018000290C
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180002526	0_2_0000000180002526
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180003530	0_2_0000000180003530
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180007550	0_2_0000000180007550
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180004153	0_2_0000000180004153
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180001D60	0_2_0000000180001D60
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180002170	0_2_0000000180002170
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_00000001800045A9	0_2_00000001800045A9
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000B1AC	0_2_000000018000B1AC
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180003DBC	0_2_0000000180003DBC
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_00000001800101C0	0_2_00000001800101C0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_00000001800069E0	0_2_00000001800069E0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180010E00	0_2_0000000180010E00
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180002A06	0_2_0000000180002A06
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000360B	0_2_000000018000360B
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180001A10	0_2_0000000180001A10
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180002A19	0_2_0000000180002A19
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180003220	0_2_0000000180003220
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000B620	0_2_000000018000B620
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180002E24	0_2_0000000180002E24
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180005E58	0_2_0000000180005E58
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000225E	0_2_000000018000225E
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180002666	0_2_0000000180002666
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000B280	0_2_000000018000B280
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000E297	0_2_000000018000E297
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000469C	0_2_000000018000469C
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180006AB0	0_2_0000000180006AB0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000BEB0	0_2_000000018000BEB0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000B6C0	0_2_000000018000B6C0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180008EC0	0_2_0000000180008EC0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000C2D0	0_2_000000018000C2D0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180003AE0	0_2_0000000180003AE0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_00000001800096E0	0_2_00000001800096E0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000C6F0	0_2_000000018000C6F0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180003717	0_2_0000000180003717
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180003220	0_2_0000000180003220
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000435B	0_2_000000018000435B
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180006F70	0_2_0000000180006F70
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000C370	0_2_000000018000C370
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180002777	0_2_0000000180002777
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_00000001800033B8	0_2_00000001800033B8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180001010	3_2_0000000180001010
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180001D60	3_2_0000000180001D60
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180001A10	3_2_0000000180001A10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003833	3_2_0000000180003833
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000284D	3_2_000000018000284D
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003464	3_2_0000000180003464
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000947B	3_2_000000018000947B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003880	3_2_0000000180003880
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002C8A	3_2_0000000180002C8A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000F890	3_2_000000018000F890
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180004CB0	3_2_0000000180004CB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800044C1	3_2_00000001800044C1
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800054D5	3_2_00000001800054D5
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000ECE0	3_2_000000018000ECE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003CF2	3_2_0000000180003CF2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800080F2	3_2_00000001800080F2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000290C	3_2_000000018000290C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002526	3_2_0000000180002526
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003530	3_2_0000000180003530
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180007550	3_2_0000000180007550
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180004153	3_2_0000000180004153
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002170	3_2_0000000180002170
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800045A9	3_2_00000001800045A9
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000B1AC	3_2_000000018000B1AC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800015B0	3_2_00000001800015B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003DBC	3_2_0000000180003DBC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800101C0	3_2_00000001800101C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800069E0	3_2_00000001800069E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180010E00	3_2_0000000180010E00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002A06	3_2_0000000180002A06
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000360B	3_2_000000018000360B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002A19	3_2_0000000180002A19
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003220	3_2_0000000180003220
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000B620	3_2_000000018000B620
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002E24	3_2_0000000180002E24
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180005E58	3_2_0000000180005E58
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000225E	3_2_000000018000225E
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002666	3_2_0000000180002666
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000B280	3_2_000000018000B280
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000E297	3_2_000000018000E297
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000469C	3_2_000000018000469C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180006AB0	3_2_0000000180006AB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000BEB0	3_2_000000018000BEB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000B6C0	3_2_000000018000B6C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180008EC0	3_2_0000000180008EC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000C2D0	3_2_000000018000C2D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003AE0	3_2_0000000180003AE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800096E0	3_2_00000001800096E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000C6F0	3_2_000000018000C6F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003717	3_2_0000000180003717
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003220	3_2_0000000180003220
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000435B	3_2_000000018000435B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180006F70	3_2_0000000180006F70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000C370	3_2_000000018000C370
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002777	3_2_0000000180002777
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800033B8	3_2_00000001800033B8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180009BC0	3_2_0000000180009BC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5007E0	3_2_000002287B5007E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FFB40	3_2_000002287B4FFB40
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50A880	3_2_000002287B50A880
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FF870	3_2_000002287B4FF870
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5108A0	3_2_000002287B5108A0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F7840	3_2_000002287B4F7840
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B516848	3_2_000002287B516848
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B505850	3_2_000002287B505850
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B507900	3_2_000002287B507900
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50F920	3_2_000002287B50F920
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B508910	3_2_000002287B508910
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F88E0	3_2_000002287B4F88E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EE8DC	3_2_000002287B4EE8DC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E176F	3_2_000002287B4E176F
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B528770	3_2_000002287B528770
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F6790	3_2_000002287B4F6790
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B504790	3_2_000002287B504790
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B543800	3_2_000002287B543800
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5137F0	3_2_000002287B5137F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B532820	3_2_000002287B532820
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EB822	3_2_000002287B4EB822
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EA6A0	3_2_000002287B4EA6A0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E769C	3_2_000002287B4E769C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E1630	3_2_000002287B4E1630
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B536700	3_2_000002287B536700
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E6704	3_2_000002287B4E6704
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FB700	3_2_000002287B4FB700
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5126F0	3_2_000002287B5126F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E271A	3_2_000002287B4E271A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FE6B0	3_2_000002287B4FE6B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5166DB	3_2_000002287B5166DB
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F4570	3_2_000002287B4F4570
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FD580	3_2_000002287B4FD580
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B513580	3_2_000002287B513580
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E656A	3_2_000002287B4E656A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B502570	3_2_000002287B502570
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E9588	3_2_000002287B4E9588
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F7530	3_2_000002287B4F7530
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B504540	3_2_000002287B504540
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EC5F0	3_2_000002287B4EC5F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B505620	3_2_000002287B505620
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5065C0	3_2_000002287B5065C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E75D2	3_2_000002287B4E75D2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EF5E0	3_2_000002287B4EF5E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EAC80	3_2_000002287B4EAC80
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E3CA6	3_2_000002287B4E3CA6
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E6C98	3_2_000002287B4E6C98
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FAC30	3_2_000002287B4FAC30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E7C3B	3_2_000002287B4E7C3B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B503C50	3_2_000002287B503C50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50FCED	3_2_000002287B50FCED
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B545CF0	3_2_000002287B545CF0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B505D20	3_2_000002287B505D20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B515D20	3_2_000002287B515D20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F2CB0	3_2_000002287B4F2CB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50FCC0	3_2_000002287B50FCC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B510CB0	3_2_000002287B510CB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50FCB7	3_2_000002287B50FCB7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50FCDB	3_2_000002287B50FCDB
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E2CD2	3_2_000002287B4E2CD2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50FCE4	3_2_000002287B50FCE4
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50FCC9	3_2_000002287B50FCC9
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50FCD2	3_2_000002287B50FCD2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FEBA0	3_2_000002287B4FEBA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E5B3E	3_2_000002287B4E5B3E
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F9B50	3_2_000002287B4F9B50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B515B60	3_2_000002287B515B60
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E8C05	3_2_000002287B4E8C05
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B504BF0	3_2_000002287B504BF0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E6B00	3_2_000002287B4E6B00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4ECBAB	3_2_000002287B4ECBAB
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E2BD6	3_2_000002287B4E2BD6
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B501AA0	3_2_000002287B501AA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B505AA0	3_2_000002287B505AA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EFAA0	3_2_000002287B4EFAA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B533A90	3_2_000002287B533A90
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E4A98	3_2_000002287B4E4A98
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E3A32	3_2_000002287B4E3A32
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E7A33	3_2_000002287B4E7A33
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F3A30	3_2_000002287B4F3A30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E5A50	3_2_000002287B4E5A50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E6B00	3_2_000002287B4E6B00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50AAC0	3_2_000002287B50AAC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E2971	3_2_000002287B4E2971
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B51A94C	3_2_000002287B51A94C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EFA00	3_2_000002287B4EFA00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EE9B0	3_2_000002287B4EE9B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5049C0	3_2_000002287B5049C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FC9B0	3_2_000002287B4FC9B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E1070	3_2_000002287B4E1070
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50E0A0	3_2_000002287B50E0A0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B515030	3_2_000002287B515030
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E6057	3_2_000002287B4E6057
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B505050	3_2_000002287B505050
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F8100	3_2_000002287B4F8100
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E7113	3_2_000002287B4E7113
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EA110	3_2_000002287B4EA110
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F6110	3_2_000002287B4F6110
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FF120	3_2_000002287B4FF120
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E20C7	3_2_000002287B4E20C7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F70C0	3_2_000002287B4F70C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F3F70	3_2_000002287B4F3F70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E7F7C	3_2_000002287B4E7F7C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E1F88	3_2_000002287B4E1F88
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FAFA0	3_2_000002287B4FAFA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E5F46	3_2_000002287B4E5F46
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E6FF7	3_2_000002287B4E6FF7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B53D000	3_2_000002287B53D000
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B516FEF	3_2_000002287B516FEF
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B525020	3_2_000002287B525020
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FA020	3_2_000002287B4FA020
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B502010	3_2_000002287B502010
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E4FB5	3_2_000002287B4E4FB5
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B509EA0	3_2_000002287B509EA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E7E89	3_2_000002287B4E7E89
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B51DE90	3_2_000002287B51DE90
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FCE50	3_2_000002287B4FCE50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50BE50	3_2_000002287B50BE50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E6EEB	3_2_000002287B4E6EEB
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F8F00	3_2_000002287B4F8F00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B539F20	3_2_000002287B539F20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E3EC7	3_2_000002287B4E3EC7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E1D80	3_2_000002287B4E1D80
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E2D8A	3_2_000002287B4E2D8A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E7DA1	3_2_000002287B4E7DA1
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E6D44	3_2_000002287B4E6D44
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B516D2E	3_2_000002287B516D2E
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B541D37	3_2_000002287B541D37
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EED50	3_2_000002287B4EED50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EEDF0	3_2_000002287B4EEDF0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B542E00	3_2_000002287B542E00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E5E06	3_2_000002287B4E5E06
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E6E10	3_2_000002287B4E6E10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4ECE10	3_2_000002287B4ECE10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F9E10	3_2_000002287B4F9E10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B504E20	3_2_000002287B504E20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EFE20	3_2_000002287B4EFE20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50ADC0	3_2_000002287B50ADC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B518DB4	3_2_000002287B518DB4
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E3470	3_2_000002287B4E3470
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B52C4A0	3_2_000002287B52C4A0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E54E0	3_2_000002287B4E54E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B544370	3_2_000002287B544370
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F8390	3_2_000002287B4F8390
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B509390	3_2_000002287B509390
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50B360	3_2_000002287B50B360
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E13F7	3_2_000002287B4E13F7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B53B410	3_2_000002287B53B410
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E73C0	3_2_000002287B4E73C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5423B7	3_2_000002287B5423B7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E83E0	3_2_000002287B4E83E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F23E0	3_2_000002287B4F23E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5053D0	3_2_000002287B5053D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E227C	3_2_000002287B4E227C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E1264	3_2_000002287B4E1264
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4ED2F0	3_2_000002287B4ED2F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F92F0	3_2_000002287B4F92F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FA2F0	3_2_000002287B4FA2F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B511300	3_2_000002287B511300
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E3300	3_2_000002287B4E3300
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E62F9	3_2_000002287B4E62F9
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B507320	3_2_000002287B507320
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F52B0	3_2_000002287B4F52B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E62E6	3_2_000002287B4E62E6
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F1180	3_2_000002287B4F1180
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E517C	3_2_000002287B4E517C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E517A	3_2_000002287B4E517A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E219F	3_2_000002287B4E219F
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E612D	3_2_000002287B4E612D
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4F2140	3_2_000002287B4F2140
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E7160	3_2_000002287B4E7160
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4E61EC	3_2_000002287B4E61EC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4EA1E0	3_2_000002287B4EA1E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5241D0	3_2_000002287B5241D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC207E0	3_2_000002287BC207E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1FB40	3_2_000002287BC1FB40
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC18100	3_2_000002287BC18100
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC27900	3_2_000002287BC27900
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0A110	3_2_000002287BC0A110
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC16110	3_2_000002287BC16110
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC28910	3_2_000002287BC28910
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC07113	3_2_000002287BC07113
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1F120	3_2_000002287BC1F120
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2F920	3_2_000002287BC2F920
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC170C0	3_2_000002287BC170C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC020C7	3_2_000002287BC020C7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0E8DC	3_2_000002287BC0E8DC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC188E0	3_2_000002287BC188E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC01070	3_2_000002287BC01070
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1F870	3_2_000002287BC1F870
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2A880	3_2_000002287BC2A880
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2E0A0	3_2_000002287BC2E0A0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC308A0	3_2_000002287BC308A0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC35030	3_2_000002287BC35030
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC17840	3_2_000002287BC17840
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC36848	3_2_000002287BC36848
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC25050	3_2_000002287BC25050
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC25850	3_2_000002287BC25850
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC06057	3_2_000002287BC06057
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC36FEF	3_2_000002287BC36FEF
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC337F0	3_2_000002287BC337F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC06FF7	3_2_000002287BC06FF7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC22010	3_2_000002287BC22010
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1A020	3_2_000002287BC1A020
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0B822	3_2_000002287BC0B822
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC45020	3_2_000002287BC45020
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC04FB5	3_2_000002287BC04FB5
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0176F	3_2_000002287BC0176F
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC13F70	3_2_000002287BC13F70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC07F7C	3_2_000002287BC07F7C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC01F88	3_2_000002287BC01F88
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC16790	3_2_000002287BC16790
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC24790	3_2_000002287BC24790
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1AFA0	3_2_000002287BC1AFA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC05F46	3_2_000002287BC05F46
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC06EEB	3_2_000002287BC06EEB
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC326F0	3_2_000002287BC326F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC18F00	3_2_000002287BC18F00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1B700	3_2_000002287BC1B700
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC06704	3_2_000002287BC06704
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC56700	3_2_000002287BC56700
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0271A	3_2_000002287BC0271A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC59F20	3_2_000002287BC59F20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1E6B0	3_2_000002287BC1E6B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC03EC7	3_2_000002287BC03EC7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC366DB	3_2_000002287BC366DB
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC07E89	3_2_000002287BC07E89
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC3DE90	3_2_000002287BC3DE90
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0769C	3_2_000002287BC0769C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0A6A0	3_2_000002287BC0A6A0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC29EA0	3_2_000002287BC29EA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC01630	3_2_000002287BC01630
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1CE50	3_2_000002287BC1CE50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2BE50	3_2_000002287BC2BE50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0EDF0	3_2_000002287BC0EDF0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0C5F0	3_2_000002287BC0C5F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC05E06	3_2_000002287BC05E06
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC06E10	3_2_000002287BC06E10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0CE10	3_2_000002287BC0CE10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC19E10	3_2_000002287BC19E10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0FE20	3_2_000002287BC0FE20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC24E20	3_2_000002287BC24E20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC25620	3_2_000002287BC25620
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC38DB4	3_2_000002287BC38DB4
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC265C0	3_2_000002287BC265C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2ADC0	3_2_000002287BC2ADC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC075D2	3_2_000002287BC075D2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0F5E0	3_2_000002287BC0F5E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0656A	3_2_000002287BC0656A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC14570	3_2_000002287BC14570
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC22570	3_2_000002287BC22570
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC01D80	3_2_000002287BC01D80
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1D580	3_2_000002287BC1D580
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC33580	3_2_000002287BC33580
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC09588	3_2_000002287BC09588
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC02D8A	3_2_000002287BC02D8A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC07DA1	3_2_000002287BC07DA1
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC36D2E	3_2_000002287BC36D2E
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC17530	3_2_000002287BC17530
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC24540	3_2_000002287BC24540
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC06D44	3_2_000002287BC06D44
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0ED50	3_2_000002287BC0ED50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2FCED	3_2_000002287BC2FCED
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC25D20	3_2_000002287BC25D20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC35D20	3_2_000002287BC35D20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC12CB0	3_2_000002287BC12CB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC30CB0	3_2_000002287BC30CB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2FCB7	3_2_000002287BC2FCB7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2FCC0	3_2_000002287BC2FCC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2FCC9	3_2_000002287BC2FCC9
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2FCD2	3_2_000002287BC2FCD2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC02CD2	3_2_000002287BC02CD2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2FCDB	3_2_000002287BC2FCDB
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC054E0	3_2_000002287BC054E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2FCE4	3_2_000002287BC2FCE4
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC03470	3_2_000002287BC03470
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0AC80	3_2_000002287BC0AC80
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC06C98	3_2_000002287BC06C98
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC03CA6	3_2_000002287BC03CA6
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1AC30	3_2_000002287BC1AC30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC07C3B	3_2_000002287BC07C3B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC23C50	3_2_000002287BC23C50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC24BF0	3_2_000002287BC24BF0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC013F7	3_2_000002287BC013F7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC08C05	3_2_000002287BC08C05
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC06B00	3_2_000002287BC06B00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0CBAB	3_2_000002287BC0CBAB
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC073C0	3_2_000002287BC073C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC253D0	3_2_000002287BC253D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC02BD6	3_2_000002287BC02BD6
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC083E0	3_2_000002287BC083E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC123E0	3_2_000002287BC123E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC18390	3_2_000002287BC18390
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC29390	3_2_000002287BC29390
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1EBA0	3_2_000002287BC1EBA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC05B3E	3_2_000002287BC05B3E
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC19B50	3_2_000002287BC19B50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2B360	3_2_000002287BC2B360
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC35B60	3_2_000002287BC35B60
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0D2F0	3_2_000002287BC0D2F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC192F0	3_2_000002287BC192F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1A2F0	3_2_000002287BC1A2F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC062F9	3_2_000002287BC062F9
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC03300	3_2_000002287BC03300
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC06B00	3_2_000002287BC06B00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC31300	3_2_000002287BC31300
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC27320	3_2_000002287BC27320
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC152B0	3_2_000002287BC152B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2AAC0	3_2_000002287BC2AAC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC062E6	3_2_000002287BC062E6
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0227C	3_2_000002287BC0227C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC04A98	3_2_000002287BC04A98
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0FAA0	3_2_000002287BC0FAA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC21AA0	3_2_000002287BC21AA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC25AA0	3_2_000002287BC25AA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC13A30	3_2_000002287BC13A30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC03A32	3_2_000002287BC03A32
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC07A33	3_2_000002287BC07A33
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC05A50	3_2_000002287BC05A50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC01264	3_2_000002287BC01264
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC061EC	3_2_000002287BC061EC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0FA00	3_2_000002287BC0FA00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0E9B0	3_2_000002287BC0E9B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1C9B0	3_2_000002287BC1C9B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC249C0	3_2_000002287BC249C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC441D0	3_2_000002287BC441D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0A1E0	3_2_000002287BC0A1E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC02971	3_2_000002287BC02971
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0517A	3_2_000002287BC0517A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0517C	3_2_000002287BC0517C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC11180	3_2_000002287BC11180
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0219F	3_2_000002287BC0219F
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC0612D	3_2_000002287BC0612D
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC12140	3_2_000002287BC12140
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC3A94C	3_2_000002287BC3A94C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC07160	3_2_000002287BC07160
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800152B0	6_2_00000001800152B0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800123E0	6_2_00000001800123E0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180022570	6_2_0000000180022570
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800207E0	6_2_00000001800207E0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180017840	6_2_0000000180017840
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001FB40	6_2_000000018001FB40
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001AC30	6_2_000000018001AC30
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180013F70	6_2_0000000180013F70
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180036FEF	6_2_0000000180036FEF
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180006FF7	6_2_0000000180006FF7
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018005D000	6_2_000000018005D000
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180022010	6_2_0000000180022010
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180045020	6_2_0000000180045020
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001A020	6_2_000000018001A020
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180035030	6_2_0000000180035030
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180025050	6_2_0000000180025050
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180006057	6_2_0000000180006057
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180001070	6_2_0000000180001070
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018002E0A0	6_2_000000018002E0A0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800170C0	6_2_00000001800170C0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800020C7	6_2_00000001800020C7
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180018100	6_2_0000000180018100
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180016110	6_2_0000000180016110
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018000A110	6_2_000000018000A110
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180007113	6_2_0000000180007113
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001F120	6_2_000000018001F120
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018000612D	6_2_000000018000612D
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180012140	6_2_0000000180012140
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180007160	6_2_0000000180007160
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018000517A	6_2_000000018000517A
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018000517C	6_2_000000018000517C
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180011180	6_2_0000000180011180
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018000219F	6_2_000000018000219F
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800441D0	6_2_00000001800441D0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018000A1E0	6_2_000000018000A1E0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800061EC	6_2_00000001800061EC
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180001264	6_2_0000000180001264
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018000227C	6_2_000000018000227C
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800062E6	6_2_00000001800062E6
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001A2F0	6_2_000000018001A2F0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800192F0	6_2_00000001800192F0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018000D2F0	6_2_000000018000D2F0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800062F9	6_2_00000001800062F9
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180031300	6_2_0000000180031300
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180003300	6_2_0000000180003300
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180027320	6_2_0000000180027320
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018002B360	6_2_000000018002B360
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180064370	6_2_0000000180064370
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180029390	6_2_0000000180029390
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180018390	6_2_0000000180018390

Source: Joe Sandbox View	Dropped File: C:\Program Files\Windows Mail\HoopCity.exe D312491920F1CF6599998CEDB9F6988F2FA3F81810B9AD1F5BFC265B16E3A234
Source: Joe Sandbox View	Dropped File: C:\Program Files\Windows Mail\HoopCityBase.dll EE71ED13F8E5A47C44AC230C96A13D8C876993763426EF50AE5F4E627C4BB287

Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: String function: 0000000180044FD0 appears 61 times
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: String function: 0000000180041890 appears 91 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 0000000180044FD0 appears 61 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 000002287B524FD0 appears 61 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 000002287BC44FD0 appears 31 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 0000000180041890 appears 91 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 000002287B521890 appears 91 times
Source: C:\Windows\System32\dllhost.exe	Code function: String function: 0000000180044FD0 appears 61 times
Source: C:\Windows\System32\dllhost.exe	Code function: String function: 0000000180041890 appears 91 times

Source: 360safe.exe, 00000000.00000002.1271635037.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetSign.DLL> vs 360safe.exe
Source: 360safe.exe, 00000000.00000002.1271635037.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetSign.dll> vs 360safe.exe
Source: 360safe.exe, 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetSign.DLL> vs 360safe.exe
Source: 360safe.exe, 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetSign.dll> vs 360safe.exe

Source: 360safe.exe	Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
Source: HoopCity.exe.3.dr	Static PE information: Section: .std ZLIB complexity 0.9908854166666666

Source: 360safe.exe

Binary or memory string: ndre-land.nonet.slnet.soin-brb.de123website.lutrentino-stirol.it

Source: classification engine

Classification label: mal92.evad.winEXE@11/5@1/2

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5007E0 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	3_2_000002287B5007E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B507900 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287B507900
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5005E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	3_2_000002287B5005E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B509B00 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	3_2_000002287B509B00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FFE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	3_2_000002287B4FFE70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50CF00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	3_2_000002287B50CF00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B509390 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287B509390
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B507320 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287B507320
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC207E0 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	3_2_000002287BC207E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC27900 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287BC27900
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2CF00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	3_2_000002287BC2CF00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1FE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	3_2_000002287BC1FE70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC205E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	3_2_000002287BC205E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC29390 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287BC29390
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC29B00 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	3_2_000002287BC29B00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC27320 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287BC27320
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800207E0 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	6_2_00000001800207E0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180027320 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_0000000180027320
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180029390 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_0000000180029390
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800205E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	6_2_00000001800205E0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180027900 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_0000000180027900
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180029B00 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	6_2_0000000180029B00
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001FE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	6_2_000000018001FE70
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018002CF00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	6_2_000000018002CF00
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00000001800207E0 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	10_2_00000001800207E0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018001FE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	10_2_000000018001FE70
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180027320 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	10_2_0000000180027320
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180029390 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	10_2_0000000180029390
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00000001800205E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	10_2_00000001800205E0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180027900 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	10_2_0000000180027900
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180029B00 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	10_2_0000000180029B00
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018002CF00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	10_2_000000018002CF00
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180027320 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_0000000180027320
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180029390 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_0000000180029390
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_00000001800205E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	11_2_00000001800205E0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_00000001800207E0 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	11_2_00000001800207E0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180027900 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_0000000180027900
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180029B00 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	11_2_0000000180029B00
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018001FE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	11_2_000000018001FE70
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018002CF00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	11_2_000000018002CF00

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B4FC640 memset,memset,memset,QueryDosDeviceW,GetDriveTypeW,lstrlenW,GetVolumeInformationW,lstrlenW,GetDiskFreeSpaceExW,

3_2_000002287B4FC640

Source: C:\Windows\System32\svchost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	3_2_000002287B506450
Source: C:\Windows\System32\svchost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	3_2_000002287BC26450
Source: C:\Windows\System32\svchost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	6_2_0000000180026450
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	10_2_0000000180026450
Source: C:\Windows\System32\dllhost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	11_2_0000000180026450

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B50CAF0 CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,

3_2_000002287B50CAF0

Source: C:\Users\user\Desktop\360safe.exe

Code function: 0_2_0000000180001A10 CoInitialize,CLSIDFromString,IIDFromString,CoCreateInstance,

0_2_0000000180001A10

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B50D0F0 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_000002287B50D0F0

Source: C:\Windows\System32\svchost.exe

File created: C:\Program Files\Windows Mail\HoopCity.exe

Jump to behavior

Source: 360safe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\360safe.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\360safe.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
Source: HoopCity.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: HoopCity.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
Source: dllhost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: dllhost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
Source: 360safe.exe	String found in binary or memory: LDD/ADDIEDDDDDDDDDDDDDDDDDDlmmD
Source: 360safe.exe	String found in binary or memory: <!--StartFragment-->
Source: 360safe.exe	String found in binary or memory: <!--StartFragment--><!--EndFragment-->
Source: 360safe.exe	String found in binary or memory: process-stop
Source: 360safe.exe	String found in binary or memory: media-playback-start
Source: 360safe.exe	String found in binary or memory: media-playback-stop
Source: 360safe.exe	String found in binary or memory: :/qt-project.org/styles/commonstyle/images/standardbutton-help-16.png
Source: 360safe.exe	String found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-24.png
Source: 360safe.exe	String found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-24.png
Source: 360safe.exe	String found in binary or memory: :/qt-project.org/styles/commonstyle/images/media-stop-32.png
Source: 360safe.exe	String found in binary or memory: :/qt-project.org/styles/commonstyle/images/standardbutton-help-32.png
Source: 360safe.exe	String found in binary or memory: :/qt-project.org/styles/commonstyle/images/standardbutton-help-128.png
Source: 360safe.exe	String found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-32.png
Source: 360safe.exe	String found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-32.png
Source: 360safe.exe	String found in binary or memory: :/qt-project.org/styles/commonstyle/images/media-stop-16.png
Source: 360safe.exe	String found in binary or memory: dialog-help-icon
Source: 360safe.exe	String found in binary or memory: filedialog-start-icon
Source: 360safe.exe	String found in binary or memory: sys-menuitemicontextindicatorcornerclose-buttonactivate-on-singleclickalignmentarrow-keys-navigate-into-childrenbackward-iconbutton-layoutcd-iconcombobox-list-mousetrackingcombobox-popupcomputer-icondesktop-icondialog-apply-icondialog-cancel-icondialog-close-icondialog-discard-icondialog-help-icondialog-no-icondialog-ok-icondialog-open-icondialog-reset-icondialog-save-icondialog-yes-icondialogbuttonbox-buttons-have-iconsdirectory-closed-icondirectory-icondirectory-link-icondirectory-open-icondither-disable-textdockwidget-close-icondownarrow-icondvd-iconetch-disabled-textfile-iconfile-link-iconfiledialog-backward-iconfiledialog-contentsview-iconfiledialog-detailedview-iconfiledialog-end-iconfiledialog-infoview-iconfiledialog-listview-iconfiledialog-new-directory-iconfiledialog-parent-directory-iconfiledialog-start-iconfloppy-iconforward-icongridline-colorharddisk-iconhome-iconicon-sizeleftarrow-iconlineedit-password-characterlineedit-password-mask-delaymdi-fill-space-on-maximizemenu-scrollablemenubar-altkey-navigationmenubar-separatormessagebox-critical-iconmessagebox-information-iconmessagebox-question-iconmessagebox-text-interaction-flagsmessagebox-warning-iconmouse-trackingnetwork-iconopacitypaint-alternating-row-colors-for-empty-arearightarrow-iconscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controlscrollview-frame-around-contentsshow-decoration-selectedspinbox-click-autorepeat-ratespincontrol-disable-on-boundstabbar-elide-modetabbar-prefer-no-arrowstitlebar-close-icontitlebar-contexthelp-icontitlebar-maximize-icontitlebar-menu-icontitlebar-minimize-icontitlebar-normal-icontitlebar-shade-icontitlebar-show-tooltips-on-buttonstitlebar-unshade-icontoolbutton-popup-delaytrash-iconuparrow-iconwidget-animation-duration
Source: 360safe.exe	String found in binary or memory: sys-menuitemicontextindicatorcornerclose-buttonactivate-on-singleclickalignmentarrow-keys-navigate-into-childrenbackward-iconbutton-layoutcd-iconcombobox-list-mousetrackingcombobox-popupcomputer-icondesktop-icondialog-apply-icondialog-cancel-icondialog-close-icondialog-discard-icondialog-help-icondialog-no-icondialog-ok-icondialog-open-icondialog-reset-icondialog-save-icondialog-yes-icondialogbuttonbox-buttons-have-iconsdirectory-closed-icondirectory-icondirectory-link-icondirectory-open-icondither-disable-textdockwidget-close-icondownarrow-icondvd-iconetch-disabled-textfile-iconfile-link-iconfiledialog-backward-iconfiledialog-contentsview-iconfiledialog-detailedview-iconfiledialog-end-iconfiledialog-infoview-iconfiledialog-listview-iconfiledialog-new-directory-iconfiledialog-parent-directory-iconfiledialog-start-iconfloppy-iconforward-icongridline-colorharddisk-iconhome-iconicon-sizeleftarrow-iconlineedit-password-characterlineedit-password-mask-delaymdi-fill-space-on-maximizemenu-scrollablemenubar-altkey-navigationmenubar-separatormessagebox-critical-iconmessagebox-information-iconmessagebox-question-iconmessagebox-text-interaction-flagsmessagebox-warning-iconmouse-trackingnetwork-iconopacitypaint-alternating-row-colors-for-empty-arearightarrow-iconscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controlscrollview-frame-around-contentsshow-decoration-selectedspinbox-click-autorepeat-ratespincontrol-disable-on-boundstabbar-elide-modetabbar-prefer-no-arrowstitlebar-close-icontitlebar-contexthelp-icontitlebar-maximize-icontitlebar-menu-icontitlebar-minimize-icontitlebar-normal-icontitlebar-shade-icontitlebar-show-tooltips-on-buttonstitlebar-unshade-icontoolbutton-popup-delaytrash-iconuparrow-iconwidget-animation-duration
Source: 360safe.exe	String found in binary or memory: QToolTipclassstyle1styleDestroyed(QObject)Could not parse application stylesheetstyleSheet {Could not parse stylesheet of object_q_stylesheet_minw_q_stylesheet_minh_q_stylesheet_maxw_q_stylesheet_maxh does not have a property named cannot design property named _q_styleSheetWidgetFont1objectDestroyed(QObject*)mNX_q_styleSheetRealCloseButtonicon-sizetitlebar-menu-icontitlebar-minimize-icontitlebar-maximize-icontitlebar-close-icontitlebar-normal-icontitlebar-shade-icontitlebar-unshade-icontitlebar-contexthelp-icondockwidget-close-iconmessagebox-information-iconmessagebox-warning-iconmessagebox-critical-iconmessagebox-question-icondesktop-icontrash-iconcomputer-iconfloppy-iconharddisk-iconcd-icondvd-iconnetwork-icondirectory-open-icondirectory-closed-icondirectory-link-iconfile-iconfile-link-iconfiledialog-start-iconfiledialog-end-iconfiledialog-parent-directory-iconfiledialog-new-directory-iconfiledialog-detailedview-iconfiledialog-infoview-iconfiledialog-contentsview-iconfiledialog-listview-iconfiledialog-backward-icondirectory-icondialog-ok-icondialog-cancel-icondialog-help-icondialog-open-icondialog-save-icondialog-close-icondialog-apply-icondialog-reset-icondialog-discard-icondialog-yes-icondialog-no-iconuparrow-icondownarrow-iconleftarrow-iconrightarrow-iconbackward-iconforward-iconhome-iconlineedit-password-characterlineedit-password-mask-delaydither-disabled-textetch-disabled-textactivate-on-singleclickshow-decoration-selectedgridline-coloropacitycombobox-popupcombobox-list-mousetrackingmenubar-altkey-navigationmenu-scrollablemenubar-separatormouse-trackingspinbox-click-autorepeat-ratespincontrol-disable-on-boundsmessagebox-text-interaction-flagstoolbutton-popup-delayscrollview-frame-around-contentsscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controltabbar-elide-modetabbar-prefer-no-arrowsdialogbuttonbox-buttons-have-iconsmdi-fill-space-on-maximizearrow-keys-navigate-into-childrenpaint-alternating-row-colors-for-empty-areatitlebar-show-tooltips-on-buttonswidget-animation-durationqt_fontDialog_sampleEditqt_
Source: 360safe.exe	String found in binary or memory: QToolTipclassstyle1styleDestroyed(QObject)Could not parse application stylesheetstyleSheet {Could not parse stylesheet of object_q_stylesheet_minw_q_stylesheet_minh_q_stylesheet_maxw_q_stylesheet_maxh does not have a property named cannot design property named _q_styleSheetWidgetFont1objectDestroyed(QObject*)mNX_q_styleSheetRealCloseButtonicon-sizetitlebar-menu-icontitlebar-minimize-icontitlebar-maximize-icontitlebar-close-icontitlebar-normal-icontitlebar-shade-icontitlebar-unshade-icontitlebar-contexthelp-icondockwidget-close-iconmessagebox-information-iconmessagebox-warning-iconmessagebox-critical-iconmessagebox-question-icondesktop-icontrash-iconcomputer-iconfloppy-iconharddisk-iconcd-icondvd-iconnetwork-icondirectory-open-icondirectory-closed-icondirectory-link-iconfile-iconfile-link-iconfiledialog-start-iconfiledialog-end-iconfiledialog-parent-directory-iconfiledialog-new-directory-iconfiledialog-detailedview-iconfiledialog-infoview-iconfiledialog-contentsview-iconfiledialog-listview-iconfiledialog-backward-icondirectory-icondialog-ok-icondialog-cancel-icondialog-help-icondialog-open-icondialog-save-icondialog-close-icondialog-apply-icondialog-reset-icondialog-discard-icondialog-yes-icondialog-no-iconuparrow-icondownarrow-iconleftarrow-iconrightarrow-iconbackward-iconforward-iconhome-iconlineedit-password-characterlineedit-password-mask-delaydither-disabled-textetch-disabled-textactivate-on-singleclickshow-decoration-selectedgridline-coloropacitycombobox-popupcombobox-list-mousetrackingmenubar-altkey-navigationmenu-scrollablemenubar-separatormouse-trackingspinbox-click-autorepeat-ratespincontrol-disable-on-boundsmessagebox-text-interaction-flagstoolbutton-popup-delayscrollview-frame-around-contentsscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controltabbar-elide-modetabbar-prefer-no-arrowsdialogbuttonbox-buttons-have-iconsmdi-fill-space-on-maximizearrow-keys-navigate-into-childrenpaint-alternating-row-colors-for-empty-areatitlebar-show-tooltips-on-buttonswidget-animation-durationqt_fontDialog_sampleEditqt_
Source: 360safe.exe	String found in binary or memory: media-stop-16.png
Source: 360safe.exe	String found in binary or memory: media-stop-32.png
Source: 360safe.exe	String found in binary or memory: standardbutton-help-128.png
Source: 360safe.exe	String found in binary or memory: Gstandardbutton-help-16.png
Source: 360safe.exe	String found in binary or memory: Gstandardbutton-help-32.png
Source: 360safe.exe	String found in binary or memory: tab-stops
Source: 360safe.exe	String found in binary or memory: tab-stop
Source: 360safe.exe	String found in binary or memory: mimetypeurn:oasis:names:tc:opendocument:xmlns:manifest:1.0manifest1.2/text/xmlcontent.xmlMETA-INF/manifest.xmlfile-entrymedia-typefull-pathTable%1style-nametable-columnTable%1.%2number-columns-repeatedtable-rowtable-cellnumber-columns-spannednumber-rows-spannedTB%1.%2T%1list-itemlistL%1pp%1spanc%1tabline-breakautomatic-stylesparagraphfamilyparagraph-propertiesline-heightline-height-at-leastline-spacingQTextOdfWriter: unsupported paragraph alignment; margin-topmargin-bottommargin-leftmargin-righttext-indentbreak-beforebreak-afterkeep-togethertab-stopstab-stoptext-propertiesSanstext-transformuppercaselowercasecapitalizesmall-capsfont-variantletter-spacingword-spacingsingletext-line-through-typetext-underline-colordashdash-dotwave0%-100%text-outlinelist-level-style-numbernum-formatnum-suffixnum-prefixlist-level-style-bulletbullet-charlevellist-level-properties%1mmspace-befores%1section-propertiestable-propertiescollapsingborder-modeltable-column-propertiescolumn-widthQTextOdfWriter::writeTableCellFormat: ERROR writing table border formattable-cell-propertiespaddingpadding-toppadding-bottompadding-leftpadding-rightautomaticurn:oasis:names:tc:opendocument:xmlns:office:1.0urn:oasis:names:tc:opendocument:xmlns:text:1.0urn:oasis:names:tc:opendocument:xmlns:style:1.0urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0urn:oasis:names:tc:opendocument:xmlns:table:1.0urn:oasis:names:tc:opendocument:xmlns:drawing:1.0http://www.w3.org/1999/xlinkurn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0QTextOdfWriter::writeAll: the device cannot be opened for writingofficefodrawxlinkdocument-contentbody
Source: 360safe.exe	String found in binary or memory: Africa/Addis_Ababa
Source: 360safe.exe	String found in binary or memory: in-addr.arpa
Source: 360safe.exe	String found in binary or memory: y.noin-addr.arpacc.ct.usyamato.fukushima.jpdp.uaslg.brullensvang.noweb.nfclerk.appweb.niwww.robarsy.pubassn.lkradoy.noauthgearapps.comleitungsen.defukaya.saitama.jphk.comhole.nofrom-sd.comtsuno.kochi.jpcantho.vnnamaste.jptrafficplex.cloudilovecollege.infotrader.aerofetsund.noinatsuki.fukuoka.jpms.leg.brhadano.kanagawa.jphikawa.shimane.jpac.gov.brwatari.miyagi.jpdrud.iofvg.itambulance.aerotrentino-aadige.itnoto.ishikawa.jp*.spectrum.myjino.rune.jpweb.pkus-west-2.elasticbeanstalk.comsevenlaw.zane.keisesaki.gunma.jpholy.jpjeonnam.krchirurgiens-dentistes-en-france.frk12.in.usbozen-s
Source: 360safe.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: 360safe.exe	String found in binary or memory: id-cmc-addExtensions
Source: 360safe.exe	String found in binary or memory: set-addPolicy

Source: unknown	Process created: C:\Users\user\Desktop\360safe.exe "C:\Users\user\Desktop\360safe.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\HoopCity.exe "C:\Program Files\Windows Mail\HoopCity.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\HoopCity.exe "C:\Program Files\Windows Mail\HoopCity.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior

Source: C:\Users\user\Desktop\360safe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: hoopcitybase.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\HoopCity.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\HoopCityBase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\mimidump.inf	Jump to behavior

Source: 360safe.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 360safe.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 360safe.exe

Static file information: File size 26331648 > 1048576

Source: 360safe.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xe9d400
Source: 360safe.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x919400

Source: 360safe.exe	Static PE information: More than 200 imports for KERNEL32.dll
Source: 360safe.exe	Static PE information: More than 200 imports for USER32.dll

Source: 360safe.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\buildslave\unity\build\artifacts\WindowsPlayer\Win64_VS2019_nondev_i_r\WindowsPlayer_player_Master_il2cpp_x64.pdb source: 360safe.exe, 00000000.00000002.1271635037.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2495015925.000002287B370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2485887283.0000000180013000.00000002.00000001.00020000.00000000.sdmp, HoopCity.exe, HoopCity.exe, 0000000A.00000002.1279364875.000000014000C000.00000002.00000001.01000000.00000008.sdmp, HoopCity.exe.3.dr
Source:	Binary string: C:\Users\Administrator\Desktop\QtWidgetsApplication1\x64\Release\QtWidgetsApplication1.pdb source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\QtWidgetsApplication1\x64\Release\QtWidgetsApplication1.pdb$ source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: QtWidgetsApplication1.pdb source: 360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B504110 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_000002287B504110

Source: initial sample

Static PE information: section where entry point is pointing to: .std

Source: 360safe.exe	Static PE information: section name: .qtmetad
Source: 360safe.exe	Static PE information: section name: .qtmimed
Source: 360safe.exe	Static PE information: section name: _RDATA
Source: HoopCity.exe.3.dr	Static PE information: section name: .std
Source: HoopCity.exe.3.dr	Static PE information: section name: .std
Source: HoopCity.exe.3.dr	Static PE information: section name: .std
Source: HoopCity.exe.3.dr	Static PE information: section name: .std
Source: HoopCity.exe.3.dr	Static PE information: section name: .std
Source: HoopCity.exe.3.dr	Static PE information: section name: .std
Source: HoopCity.exe.3.dr	Static PE information: section name: .std

Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_0000000180166538 push rsp; retf	0_2_0000000180166539
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B541A87 push FF491775h; ret	3_2_000002287B541A8C
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180061A87 push FF491775h; ret	6_2_0000000180061A8C
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000014001221D push rcx; retf 003Fh	10_2_000000014001221E
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000014000C5C0 push rax; retf	10_2_000000014000C5C1
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000014000C5C8 push rsp; retf	10_2_000000014000C5D1
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180061A87 push FF491775h; ret	10_2_0000000180061A8C
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180061A87 push FF491775h; ret	11_2_0000000180061A8C

Source: HoopCity.exe.3.dr	Static PE information: section name: .std entropy: 7.975145846946156
Source: HoopCity.exe.3.dr	Static PE information: section name: .std entropy: 7.88585773635149

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B50318E VirtualFree,VirtualFree,malloc,malloc,VirtualFree,VirtualFree,NetUserAdd,Sleep,NetLocalGroupAddMembers,free,free,

3_2_000002287B50318E

Source: C:\Windows\System32\svchost.exe	File created: C:\Program Files\Windows Mail\HoopCity.exe			Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Program Files\Windows Mail\HoopCityBase.dll			Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Jump to behavior

Source: C:\Windows\System32\svchost.exe

3_2_000002287B50D0F0

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\svchost.exe

File deleted: c:\users\user\desktop\360safe.exe

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B4FC120 OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,

3_2_000002287B4FC120

Source: C:\Users\user\Desktop\360safe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Windows\System32\svchost.exe

Check user administrative privileges: IsUserAndAdmin, DecisionNode

graph_3-51713

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B4F70C0 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,

3_2_000002287B4F70C0

Source: C:\Users\user\Desktop\360safe.exe	Code function: malloc,RtlCopyMemory,malloc,memset,RtlCopyMemory,memset,GetModuleFileNameW,malloc,memset,RtlCopyMemory,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	0_2_00000001800015B0
Source: C:\Windows\System32\svchost.exe	Code function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	3_2_00000001800015B0
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	3_2_000002287B50D1D0
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287B50F920
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	3_2_000002287BC2D1D0
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287BC2F920
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	6_2_000000018002D1D0
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_000000018002F920
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	10_2_000000018002D1D0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	10_2_000000018002F920
Source: C:\Windows\System32\dllhost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	11_2_000000018002D1D0
Source: C:\Windows\System32\dllhost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_000000018002F920

Source: C:\Windows\System32\svchost.exe	API coverage: 2.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.5 %
Source: C:\Program Files\Windows Mail\HoopCity.exe	API coverage: 3.4 %
Source: C:\Windows\System32\dllhost.exe	API coverage: 3.2 %

Source: C:\Windows\System32\svchost.exe TID: 6904

Thread sleep count: 34 > 30

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FC9B0 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287B4FC9B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FDF30 malloc,memset,FindFirstFileW,free,	3_2_000002287B4FDF30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FCE50 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287B4FCE50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FE370 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	3_2_000002287B4FE370
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1DF30 malloc,memset,FindFirstFileW,free,	3_2_000002287BC1DF30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1CE50 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287BC1CE50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1E370 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	3_2_000002287BC1E370
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1C9B0 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_000002287BC1C9B0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001E370 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	6_2_000000018001E370
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001C9B0 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_000000018001C9B0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001CE50 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_000000018001CE50
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001DF30 malloc,memset,FindFirstFileW,free,	6_2_000000018001DF30
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00007FFB1C2E6418 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,abort,abort,abort,	10_2_00007FFB1C2E6418
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018001E370 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	10_2_000000018001E370
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018001C9B0 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	10_2_000000018001C9B0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018001CE50 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	10_2_000000018001CE50
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018001DF30 malloc,memset,FindFirstFileW,free,	10_2_000000018001DF30
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018001E370 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	11_2_000000018001E370
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018001C9B0 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_000000018001C9B0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018001CE50 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_000000018001CE50
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018001DF30 malloc,memset,FindFirstFileW,free,	11_2_000000018001DF30

Source: C:\Windows\System32\svchost.exe

3_2_000002287B509B00

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B502570 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,

3_2_000002287B502570

Source: svchost.exe, 00000003.00000000.1254583176.000002287A02B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: 360safe.exe, 00000000.00000002.1277101796.0000000141813000.00000008.00000001.01000000.00000003.sdmp, 360safe.exe, 00000000.00000000.1247122724.00000001417B9000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@
Source: 360safe.exe, 00000000.00000002.1269315814.000000000055D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1254609692.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2490738992.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2488798335.0000013D1BC13000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2487917246.000002EA8211C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2488965795.0000019A4E213000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000D.00000002.2487737856.000001B4F023C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: HoopCity.exe, 0000000A.00000002.1277943290.0000000000440000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC

Source: C:\Users\user\Desktop\360safe.exe	API call chain: ExitProcess graph end node			graph_0-4040
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node			graph_3-51720

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B50E9E0 BlockInput,

3_2_000002287B50E9E0

Source: C:\Users\user\Desktop\360safe.exe

Code function: 0_2_000000018000D484 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000000018000D484

Source: C:\Windows\System32\svchost.exe

3_2_000002287B4F70C0

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B504110 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_000002287B504110

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B50CAF0 CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,

3_2_000002287B50CAF0

Source: C:\Users\user\Desktop\360safe.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000D484 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000018000D484
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000F6D0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000018000F6D0
Source: C:\Users\user\Desktop\360safe.exe	Code function: 0_2_000000018000CEE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000018000CEE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000D484 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_000000018000D484
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000F6D0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_000000018000F6D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000CEE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_000000018000CEE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B540800 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_000002287B540800
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5400C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_000002287B5400C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5441C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_000002287B5441C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC600C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_000002287BC600C0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800600C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00000001800600C0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800641C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00000001800641C0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180060800 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0000000180060800
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00007FFB1C2E8618 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFB1C2E8618
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00007FFB1C2EBE40 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFB1C2EBE40
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00007FFB1C2E8458 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFB1C2E8458
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00000001800600C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00000001800600C0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00000001800641C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00000001800641C0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180060800 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0000000180060800
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_00000001800600C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00000001800600C0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_00000001800641C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00000001800641C0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180060800 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0000000180060800

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\svchost.exe

File created: HoopCity.exe.3.dr

Jump to dropped file

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\360safe.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2287A7D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2287B200000 protect: page read and write	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2287A7E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2287A7F0000 protect: page read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2287B860000 protect: page execute and read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2287B870000 protect: page read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2287B900000 protect: page execute and read and write	Jump to behavior

Changes memory attributes in foreign processes to executable or writable

Source: C:\Program Files\Windows Mail\HoopCity.exe	Memory protected: C:\Windows\System32\svchost.exe base: 2287B900000 protect: page execute read			Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Memory protected: C:\Windows\System32\svchost.exe base: 2287B860000 protect: page execute read			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B4FFB40 VirtualAllocEx,GetLastError,VirtualAllocEx,WriteProcessMemory,GetLastError,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,memset,GetThreadContext,SetThreadContext,memset,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,GetLastError,

3_2_000002287B4FFB40

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B4FF870 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	3_2_000002287B4FF870
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B50E560 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	3_2_000002287B50E560
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B509EA0 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	3_2_000002287B509EA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC1F870 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	3_2_000002287BC1F870
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC29EA0 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	3_2_000002287BC29EA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC2E560 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	3_2_000002287BC2E560
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018002E560 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	6_2_000000018002E560
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018001F870 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	6_2_000000018001F870
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180029EA0 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	6_2_0000000180029EA0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018001F870 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,NtCreateThreadEx,CreateRemoteThread,	10_2_000000018001F870
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018002E560 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	10_2_000000018002E560
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180029EA0 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	10_2_0000000180029EA0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018002E560 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	11_2_000000018002E560
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018001F870 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	11_2_000000018001F870
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180029EA0 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	11_2_0000000180029EA0

Creates a thread in another existing process (thread injection)

Source: C:\Program Files\Windows Mail\HoopCity.exe

Thread created: unknown EIP: 7B900000

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x1800209E3	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18001F919	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtClose: Direct from: 0x1800208A1
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18001B25A	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18001B13D	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x180020A4E	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtWriteVirtualMemory: Direct from: 0x18001F93C	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x180020B8F	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18001F95D	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtWriteVirtualMemory: Direct from: 0x18001F8F9	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18002090D	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x180020978	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtProtectVirtualMemory: Direct from: 0x18002D588	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtProtectVirtualMemory: Direct from: 0x18002D5BB	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtWriteVirtualMemory: Direct from: 0x18001FA3D	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18001B223	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18002D1FB	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtProtectVirtualMemory: Direct from: 0x18001FA82	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18001F704	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtProtectVirtualMemory: Direct from: 0x18001245A	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtQuerySystemInformation: Direct from: 0x18002CA14	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtUnmapViewOfSection: Direct from: 0x18002CA37	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x1800124B2	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtUnmapViewOfSection: Direct from: 0x18002CA54	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtProtectVirtualMemory: Direct from: 0x18001FA66	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtClose: Direct from: 0x18001FF26
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18001247B	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x1800208B8	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtClose: Direct from: 0x18002CAD7
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18001B291	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtQuerySystemInformation: Direct from: 0x1800126EC	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAdjustPrivilegesToken: Direct from: 0x180020887	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x180020AB9	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x1800207FD	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtCreateThreadEx: Direct from: 0x18001FAE5	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18001B1EC	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtQuerySystemInformation: Direct from: 0x18001240D	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x180020B24	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x18001F8CA	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAllocateVirtualMemory: Direct from: 0x180020BFA	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	NtAdjustPrivilegesToken: Direct from: 0x18001FF0C	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 3752	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 2352	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 6392	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 1196	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\360safe.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287A7D0000	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287B200000	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287A7E0000	Jump to behavior
Source: C:\Users\user\Desktop\360safe.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287A7F0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 2EA81F50000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 2EA81FE0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 2EA81F40000	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287B860000	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287B870000	Jump to behavior
Source: C:\Program Files\Windows Mail\HoopCity.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287B900000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B4F00A0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B4F0130000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B4F0090000	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	3_2_000002287B4F23E0
Source: C:\Windows\System32\svchost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	3_2_000002287BC123E0
Source: C:\Windows\System32\svchost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	6_2_00000001800123E0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	10_2_00000001800123E0
Source: C:\Windows\System32\dllhost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	11_2_00000001800123E0

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B50E0A0 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,

3_2_000002287B50E0A0

Source: C:\Windows\System32\svchost.exe

3_2_000002287B50E0A0

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\HoopCity.exe "C:\Program Files\Windows Mail\HoopCity.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior

Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior

Source: svchost.exe, 00000006.00000002.2491820168.0000013D1CF80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1905194252.0000013D1CF80000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.1885811938.000002EA84860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerF
Source: svchost.exe, 00000006.00000003.1905243487.0000013D1D330000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1905440282.0000013D1D2B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1922158074.0000019A4F990000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TCPProgram ManagerF

Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: GetLocaleInfoEx,FormatMessageA,		10_2_00007FFB1C2E6118
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,		10_2_00007FFB1C2EC030

Source: C:\Users\user\Desktop\360safe.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_000002287B507EB0 CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,

3_2_000002287B507EB0

Source: C:\Users\user\Desktop\360safe.exe

Code function: 0_2_000000018000D05C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_000000018000D05C

Source: C:\Windows\System32\svchost.exe

3_2_000002287B502570

Source: svchost.exe, 00000006.00000003.1276608978.0000013D1D1D0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1275037120.0000013D1C950000.00000004.00000001.00020000.00000000.sdmp, HoopCity.exe, 0000000A.00000003.1276915991.0000000001AC0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 360safe.exe
Source: 360safe.exe, 00000000.00000002.1269315814.000000000055D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vxh V\Device\HarddiskVolume3\Users\user\Desktop\360safe.exe
Source: 360safe.exe, 00000000.00000002.1270497811.00000000027F7000.00000004.00000020.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1270497811.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1269578958.0000000000955000.00000004.00000020.00020000.00000000.sdmp, 360safe.exe, 00000000.00000002.1271817842.00000000050E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\360safe.exe

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B52A8C0 socket,socket,htonl,bind,getsockname,	3_2_000002287B52A8C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5276C0 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	3_2_000002287B5276C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B5015B0 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	3_2_000002287B5015B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287B536BC0 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	3_2_000002287B536BC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC4A8C0 socket,socket,htonl,bind,getsockname,	3_2_000002287BC4A8C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC476C0 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	3_2_000002287BC476C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC215B0 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	3_2_000002287BC215B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000002287BC56BC0 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	3_2_000002287BC56BC0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800215B0 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	6_2_00000001800215B0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001800476C0 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	6_2_00000001800476C0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000018004A8C0 socket,socket,htonl,bind,getsockname,	6_2_000000018004A8C0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000180056BC0 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	6_2_0000000180056BC0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00000001800215B0 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	10_2_00000001800215B0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_00000001800476C0 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	10_2_00000001800476C0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_000000018004A8C0 socket,socket,htonl,bind,getsockname,	10_2_000000018004A8C0
Source: C:\Program Files\Windows Mail\HoopCity.exe	Code function: 10_2_0000000180056BC0 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	10_2_0000000180056BC0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_00000001800215B0 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	11_2_00000001800215B0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_00000001800476C0 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	11_2_00000001800476C0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_000000018004A8C0 socket,socket,htonl,bind,getsockname,	11_2_000000018004A8C0
Source: C:\Windows\System32\dllhost.exe	Code function: 11_2_0000000180056BC0 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	11_2_0000000180056BC0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	2 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Abuse Elevation Control Mechanism	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	12 Windows Service	11 Access Token Manipulation	3 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	12 Service Execution	1 Scheduled Task/Job	12 Windows Service	2 Software Packing	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	723 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	1 Network Share Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 File Deletion	DCSync	41 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Masquerading	Proc Filesystem	1 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	4 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	723 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Indicator Removal	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
360safe.exe	11%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files\Windows Mail\HoopCity.exe	0%	ReversingLabs
C:\Program Files\Windows Mail\HoopCityBase.dll	11%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://tools.soft.360.cn/jump?id=41X	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.wshifen.com	103.235.47.188	true	false		high
www.baidu.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://s.360.cn/safe/xxzx.html?stype=msgcenter&type=	360safe.exe, 00000000.00000000.1247174904.0000000141933000.00000002.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=zh-CNCtrl$1	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
http://html4/loose.dtd	360safe.exe	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore/category/extensions	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://support.google.com/chromebook?p=app_intent	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://support.google.com/chrome/answer/6098869	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.html	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.360.cn/weishi/cht/index.html#http://dl.360safe.com/setupbeta.exe	360safe.exe, 00000000.00000000.1247174904.0000000141933000.00000002.00000001.01000000.00000003.sdmp	false		high
https://support.google.com/chrome/answer/96817	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
http://.css	360safe.exe	false		high
https://support.google.com/chrome/a/?p=browser_profile_details	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://myactivity.google.com/	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.com	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
http://dl.360safe.com/offlinepackv4.exe	360safe.exe, 00000000.00000000.1247174904.0000000141933000.00000002.00000001.01000000.00000003.sdmp	false		high
https://policies.google.com/	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://support.google.com/chrome/a/answer/9122284	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://tools.soft.360.cn/jump?id=41X	360safe.exe, 00000000.00000000.1247174904.0000000141933000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
http://.jpg	360safe.exe	false		high
https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist	360safe.exe, 00000000.00000000.1246386089.0000000141157000.00000002.00000001.01000000.00000003.sdmp	false		high
https://update.360safe.com/safe/checkupdate.ini2http://update.360safe.com/safe/checkupdate_cht.ini&	360safe.exe, 00000000.00000000.1247174904.0000000141933000.00000002.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.197.113.45	unknown	China		133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	false
103.235.47.188	www.wshifen.com	Hong Kong		55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565272
Start date and time:	2024-11-29 14:49:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	360safe.exe
Detection:	MAL
Classification:	mal92.evad.winEXE@11/5@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 42 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 360safe.exe

Simulations

Behavior and APIs

Time	Type	Description
14:50:07	Task Scheduler	Run new task: MicrosoftEdgeUpdate path: C:\Program Files\Windows Mail\HoopCity.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.235.47.188	Iifpj4i2kC.exe	Get hash	malicious	FormBook	Browse	www.zruypj169g.top/md02/?oHH8=VZUPDXU8mXkToFn&0PG4QdD=KBMih/6UmjMCLIvQj8A+JVJ0ZduXlvkac/jrKRN7UGcA2YCWIWeuvW479UURmW6VwJBRFqK2PA==
	3.exe	Get hash	malicious	BlackMoon, XRed	Browse	www.baidu.com/
	CZyOWoN2hiszA6d.exe	Get hash	malicious	FormBook	Browse	www.vicmvm649n.top/v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd
	f2.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	f1.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	chAJcIK6ZO.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	LisectAVT_2403002A_489.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exe	Get hash	malicious	Bdaejec	Browse	www.baidu.com/
	7Y18r(100).exe	Get hash	malicious	Unknown	Browse	www.baidu.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.wshifen.com	XiaobingOnekey.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	DNF#U604b#U62180224a.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://profdentalcare.com	Get hash	malicious	Unknown	Browse	103.235.46.96
	Iifpj4i2kC.exe	Get hash	malicious	FormBook	Browse	103.235.47.188
	https://www.baidu.com/link?url=7AgUGxkCgEsQdPm9T1PXcA0XghaPOWMLvdhGyyVngg844uS4x-KZy4IMqs1ov0OgdFqhAB-_X2oOV9exK4hWC_&wd=ZWxraW58WTI5eVpUUmpaUzVqYjIwPXxNYkdVSlpkdVROdWNyeW1UWU1laElVVW1QbGRGb0F5RmNLcWJadW1CT01YYw==	Get hash	malicious	HTMLPhisher	Browse	103.235.46.96
	kHslwiV2w6.exe	Get hash	malicious	FormBook	Browse	103.235.47.188
	http://wap.smarthomehungary.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://www.allencai.net/	Get hash	malicious	Unknown	Browse	103.235.46.96
	LuJJk0US5g.msi	Get hash	malicious	Unknown	Browse	103.235.46.96
	https://ebaite.cn/	Get hash	malicious	Unknown	Browse	103.235.46.96

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	XiaobingOnekey.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	arm7.elf	Get hash	malicious	Mirai	Browse	106.13.224.235
	splarm.elf	Get hash	malicious	Unknown	Browse	180.76.142.163
	ivySCI-5.6.3.exe	Get hash	malicious	Unknown	Browse	45.113.194.85
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	106.13.166.147
	DNF#U604b#U62180224a.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://profdentalcare.com	Get hash	malicious	Unknown	Browse	103.235.46.96
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	106.12.5.224
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	180.76.189.191
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	180.76.189.198
HKKFGL-AS-APHKKwaifongGroupLimitedHK	1Eo0gOdDsV.exe	Get hash	malicious	Quasar	Browse	154.83.15.5
	FS04dlvJrq.exe	Get hash	malicious	FormBook	Browse	192.197.113.67
	botnet.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	154.221.28.71
	mips.elf	Get hash	malicious	Mirai	Browse	154.221.30.1
	sh4.elf	Get hash	malicious	Mirai	Browse	154.221.30.6
	http://telegiraum.club/	Get hash	malicious	Telegram Phisher	Browse	156.236.70.154
	http://telegiraum.club/	Get hash	malicious	Telegram Phisher	Browse	156.236.70.154
	na.elf	Get hash	malicious	Mirai	Browse	194.120.230.54
	na.elf	Get hash	malicious	Mirai	Browse	194.120.230.54
	na.elf	Get hash	malicious	Unknown	Browse	194.120.230.54

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\Windows Mail\HoopCityBase.dll	setup#U4f01#U4e1a#U540d#U5355.exe	Get hash	malicious	Unknown	Browse
C:\Program Files\Windows Mail\HoopCity.exe	setup#U4f01#U4e1a#U540d#U5355.exe	Get hash	malicious	Unknown	Browse
C:\Program Files\Windows Mail\HoopCity.exe	dfp383.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files\Windows Mail\HoopCity.exe

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	652760
Entropy (8bit):	4.901210814900958
Encrypted:	false
SSDEEP:	6144:JojTX6o9ODnsnR/yJJpcwPi0EcjIQh/IK9rdOACd+AVi2K:67kns1y7uwK+jrIorHs++i2K
MD5:	EF8BDE64E1943C51E2DE2E5CB0182DEB
SHA1:	46194A480734F31455C2A1499B241A45BDEF9183
SHA-256:	D312491920F1CF6599998CEDB9F6988F2FA3F81810B9AD1F5BFC265B16E3A234
SHA-512:	60AC38AF1FE9C887364BAC54F3BAF2A1168E18EB028B74C2E0E550F40EAFB42702A69D58A735D70BA84BCCB64E15F9746784EBE6733928D113DF336F8DECAC9B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: setup#U4f01#U4e1a#U540d#U5355.exe, Detection: malicious, Browse Filename: dfp383.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............0R.f............................!..L.!This program cannot be run in DOS mode....$........T9 .5Ws.5Ws.5Ws.]Sr.5Ws.]Tr.5Ws.]Rr.5Ws.]Vr.5Ws.DRr.5Ws.DSr.5Ws.DTr.5Ws3GVr.5Ws.5Vs.5Ws3GRr.5Ws3GWr.5Ws3G.s.5Ws3GUr.5WsRich.5Ws........................PE..d....].b..........#..........f.......k.........@.............................p.......*.... ..........................................E.......j..(.......H....p..T........)...........5..T............................6..8............................................std....@........Z.................. ..`.std................^..............@..@.std.........P......................@....std....T....p......................@..@.std................................@..@.std....H...........................@..@.std....(+...@...,.................. ...................................................................................................................................................................................

C:\Program Files\Windows Mail\HoopCityBase.dll

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	165376
Entropy (8bit):	6.110130693026057
Encrypted:	false
SSDEEP:	3072:1zHrFX5aetLIuiUFVS1crInryCzaTFCANvIw8:fvj0iInWEMzv
MD5:	0E1C6BE6CE3F42B360A45A6D14375388
SHA1:	8B983028B0A3E0DEA90988165B6C0531E9BF862B
SHA-256:	EE71ED13F8E5A47C44AC230C96A13D8C876993763426EF50AE5F4E627C4BB287
SHA-512:	0F32AEB86C4883623743FE772E37C7833C0117021FB2E8A7379E80EE48B0B15E31FBAB63578F8A2E53E9D95BFF437E546ACD0F8562B01C05A9F9DEE5B965D1AD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Joe Sandbox View:	Filename: setup#U4f01#U4e1a#U540d#U5355.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........z..H.mGH.mGH.mG\piFM.mG\phFO.mG..GN.mG..lFJ.mG..hFi.mG..hFI.mG..nFJ.mGX.nFL.mGX.iF@.mGX.hFr.mG.clFO.mGH.lG..mG..dFJ.mG..mFI.mG..oFI.mGRichH.mG........................PE..d...n..g.........." ...).............{....................................................`.........................................@#..H....#..P........@...P..\............p.. .......8.......................(.......@...............H............................text.............................. ..`.rdata...].......^..................@..@.data........0....... ..............@....pdata..\....P......................@..@.reloc.. ....p.......@..............@..B.rsrc....P.......B...D..............@..@........................................................................................................................................................................................................

C:\Program Files\Windows Mail\mimidump.inf

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	546764
Entropy (8bit):	6.542788539432496
Encrypted:	false
SSDEEP:	12288:fQi1QXluDFR8drN0Q/mBnHRTO2S8NYrDbwo7XmG0lUjSI2e:GIqKxjNjoLSre
MD5:	5BF44632D2B4CAAFFF1C552FC71748BC
SHA1:	E03519CDC49C5F17CBFD896FB67FBD6491E57DDA
SHA-256:	C1284C3F12E95C9A6385265512246B640969E1E9B12A24B0B364905499F09289
SHA-512:	09FDB978FBA847B1639825444560F54AF9936E1322240352426EA4871C132DF4AF823B768C2808EC2EA0DAD44FB77C298948A2C3B260E72018410F60267F703E
Malicious:	false
Preview:	4...H..(H...D$8run.H.L$8.O...H..(...eH..%`......D..3.L..E..t"A........A..a.J..L.I....A..D....u..H.A.....H.\$.H.l$.H.t$.WAVAWH.. D......H.P.H.j L..I.......M..L.P0M..tLIcB<B.........t<I.<..O.I...j....w 3.I..D..9_.v...I...P...A..D;.t+..H...;_.r.L;.u.3.H.\$@H.l$HH.t$PH.. A_A^_.O$I..D...Y.O.I..B...I.......@SH.. H.......%...H..H.. [H....H.\$.WH.. H..H...........H..H..H.\$0H.. _H.....H.\$.UVWATAUAVAWH.. L..M..3.Z.H........2=..L.......-A..H.D$x....M..M.f.H.D$p3...A..y.H..(fA;A.s\|I..9.u29E8~ZHc]8A......O.H..I..A.....A..L..G.3.H...T$p.-.O.A.......I..A.....A..W.H..D..I..H...T$x._.I....H..(..H......;.\|.H.\$`H.. A_A^A]A\_^].H.\$.H.l$.H.t$ WATAUAVAWH..@L..-A........ ...H.L$ D..H..3...D.g.E..H.L$ A....E..W.H.L$$..E..W.H.L$(..E..W.H.L$,..E..W.H.L$0..E..W`H.L$4..E..H.L$8....E..W H.L$<....O.B....../.H...5...M..E3.L..A..H.........A..Y.I.q0H..(H#.fE;i.......I..D.C.A.....A.....E..A#.A...A#.A....s..K.A..@....H.....OH..B..I..RD.T. A....A....D.CT. ..u.A..@t.A.A ..E..y.A.A$..t..K.L.L$pH...E.

C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3168
Entropy (8bit):	3.557099643328887
Encrypted:	false
SSDEEP:	48:yei1q9tNTPQOYZj9c9V9Lbra+iaiudupRCRvA9ufAuRa7T5XhPsV8ic4dTkp+++:t7U4diaigVA9ll7dhFFx+
MD5:	7A14711F4CC145CB55937FD77D3219DB
SHA1:	FC526C4F7FFAD339A68C03853CE5027793AD6541
SHA-256:	94FDA09E6FC744536DD0199C79A44B5105EF9D66ADEDC09BB2452DC598EA07B7
SHA-512:	9E52C0D73764CD5F8F53D74ACC53247A905DA114453B762D203D28190D4099036A0851C91129CF0508A5D5330F23A18580339DBEEB0BB9D8CCEEFF560B1D532B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.A.u.t.h.o.r.>.S.Y.S.T.E.M.<./.A.u.t.h.o.r.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.M.i.c.r.o.s.o.f.t. .E.d.g.e. .U.p.d.a.t.e. .T.a.s.k. .M.a.c.h.i.n.e.C.o.r.e.<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t.E.d.g.e.U.p.d.a.t.e.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.B.o.o.t.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.B.o.o.t.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.S.-.1.-.5.-.1.8.<./.U.s.e.r.I.d.

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4680
Entropy (8bit):	3.7110483398889156
Encrypted:	false
SSDEEP:	96:pYMguQII4i26h4aGdinipV9ll7UY5HAmzQ+:9A4G/xne7HO+
MD5:	7A1771E88EA8639F907770CEFD03A7B1
SHA1:	2403D7888786C13F0ABD6120A210B3F27391E14E
SHA-256:	420B340C55C364FC3650B5026ABEDC3F07D812E43D67C3E8AE646F6451C58BBE
SHA-512:	59274D6BACF223C681AA9103FA09CC7EADF6AB96333947C7FB30FE23AA862874CAB94DB482457F3C3C2319F24BF5FDD110AFBE4053EF2A963BF553EAECEA79B7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.004827847025262
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	360safe.exe
File size:	26'331'648 bytes
MD5:	da7d87948abd48d5ba7f0449a12baed1
SHA1:	ce1a7523a2333d3bfedeb2ff596cd950e2d73c6d
SHA256:	0452656d33fcd78f19ad3fbb44594fa6b64852a2882353266377cfe3e65ad02f
SHA512:	f46f2560b254b396f9c3d546a596effba9b9ad18ee40e01b3a62640a2a9f04938253a5d8fef63fad9d526c08e2f0152fbb5501a5cbf356623654ed5350fcaf4f
SSDEEP:	393216:Rl7keYu3DWru9NDwj6SGEgCWwgF1oVicOCOlJsv6tWKFdu9CfKFZ2Sa+LipLWAYU:v7iuZqON6a+FAYU
TLSH:	A747AE67B2A608D4E876E0388A579117EFB1F81557B187DB21B496DA2F337E02D3B310
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A....................................FRj......v.......v.......q.......q.......s.......s.......w.............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140b1b8b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:	0x6746818C [Wed Nov 27 02:18:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	beb0eb5afc4aa49a8bfc290f6f650356

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FCDF8F6688Ch
dec eax
add esp, 28h
jmp 00007FCDF8F65ACFh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [00D19D68h]
call dword ptr [00383F6Ah]
and dword ptr [ebx], 00000000h
dec eax
lea ecx, dword ptr [00D19D58h]
call dword ptr [00383F62h]
dec eax
lea ecx, dword ptr [00D19D43h]
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00383F3Fh]
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [00D19D2Ch]
call dword ptr [00383F2Eh]
mov eax, dword ptr [00CEE29Ch]
dec eax
lea ecx, dword ptr [00D19D19h]
mov edx, dword ptr [00D19D1Bh]
inc eax
mov dword ptr [00CEE287h], eax
mov dword ptr [ebx], eax
dec eax
mov eax, dword ptr [00000058h]
inc ecx
mov ecx, 00000014h
dec esp
mov eax, dword ptr [eax+edx*8]
mov eax, dword ptr [00CEE26Ch]
inc ebx
mov dword ptr [ecx+eax], eax
call dword ptr [00383EF6h]
dec eax
lea ecx, dword ptr [00D19CD7h]
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00383ED3h]
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17b1da0	0x1f4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1933000	0xa39c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x183f000	0xa22f4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16bc030	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x16bc100	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x16bbef0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe9f000	0x20a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe9d224	0xe9d400	ccd0fa7028fa261f0a826e028b4a5dda	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe9f000	0x919364	0x919400	2cb09709b8bfb18804abc41efb15167b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17b9000	0x85810	0x6a000	3a5fe993167ff8619f1e84f60dc3111a	False	0.22242362544221697	data	3.9810579474128382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x183f000	0xa22f4	0xa2400	aaee8d3dea05433af360d32658ad1350	False	0.49019224287365176	data	6.800829870815186	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qtmetad	0x18e2000	0x536	0x600	bfd0a37e057f358d80d1716d9a9abd7e	False	0.24609375	data	5.0500249701877475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.qtmimed	0x18e3000	0x4ece5	0x4ee00	2d32d357ab751ffbbb513570c6ee6986	False	0.997458770800317	gzip compressed data, original size modulo 2^32 0	7.998000978505572	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
_RDATA	0x1932000	0x30	0x200	fc2f14d81e335ad78fd3a2189af093b9	False	0.046875	data	0.24749732431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1933000	0xb000	0xa400	d253f0d6684b864eb73034682b397843	False	0.8785727896341463	data	7.709873577338243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19332f8	0x86ce	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China	1.000608519269777
RT_DIALOG	0x193b9c8	0x2c	data	Chinese	China	0.8409090909090909
RT_DIALOG	0x193b9f4	0x4c	data	Chinese	China	0.8289473684210527
RT_DIALOG	0x193ba40	0x90	data	Chinese	China	0.6666666666666666
RT_STRING	0x193bad0	0x3b0	data	Chinese	China	0.3877118644067797
RT_STRING	0x193be80	0x290	data	Chinese	China	0.3277439024390244
RT_STRING	0x193c110	0x3a4	data	Chinese	China	0.3927038626609442
RT_STRING	0x193c4b4	0x868	data	Chinese	China	0.15427509293680297
RT_ACCELERATOR	0x193cd1c	0x70	data	Chinese	China	0.6785714285714286
RT_RCDATA	0x193cd8c	0x80	data	English	United States	1.0859375
RT_VERSION	0x193ce0c	0x320	data	Chinese	China	0.47375
RT_MANIFEST	0x193d12c	0x26e	ASCII text, with CRLF line terminators	English	United States	0.5176848874598071

Imports

DLL	Import
KERNEL32.dll	InitializeCriticalSectionEx, PeekNamedPipe, AreFileApisANSI, LCIDToLocaleName, ExitProcess, VirtualQuery, RtlUnwindEx, ReadConsoleW, ReadConsoleA, SetConsoleMode, GetConsoleMode, GetACP, GetEnvironmentVariableW, GetStdHandle, GetSystemDirectoryA, lstrcatW, lstrcatA, AcquireSRWLockShared, ReleaseSRWLockShared, CreateFileMappingA, lstrlenA, GetModuleHandleA, MapViewOfFileEx, CreateEventA, InitializeSRWLock, GetTempFileNameW, SearchPathW, GetProfileIntW, VerifyVersionInfoW, VerSetConditionMask, GetWindowsDirectoryW, FindResourceExW, lstrcpyW, VirtualProtect, GetUserDefaultUILanguage, SystemTimeToTzSpecificLocalTime, GetFileTime, FileTimeToLocalFileTime, GetVersionExW, GlobalFindAtomW, GlobalDeleteAtom, GlobalFlags, lstrcmpiW, LoadLibraryExW, UnlockFile, LockFile, GlobalAddAtomW, GlobalGetAtomNameW, lstrcmpA, LocalReAlloc, LocalAlloc, GlobalHandle, GlobalReAlloc, MulDiv, GlobalFree, FindResourceW, SizeofResource, LockResource, LoadResource, QueryActCtxW, FindActCtxSectionStringW, DeactivateActCtx, ActivateActCtx, CreateActCtxW, InitializeCriticalSectionAndSpinCount, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, HeapDestroy, SetLastError, OutputDebugStringA, InitializeSListHead, GetSystemTimeAsFileTime, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, LCMapStringEx, DecodePointer, EncodePointer, RaiseException, GetLocaleInfoEx, FormatMessageA, VirtualFree, VirtualAlloc, CreateMutexW, ReleaseMutex, GetExitCodeProcess, GetUserGeoID, GetGeoInfoW, GetTimeZoneInformation, GetModuleHandleExW, FreeLibrary, FindNextFileW, FindFirstFileExW, FindNextChangeNotification, FindFirstChangeNotificationW, FindCloseChangeNotification, MultiByteToWideChar, CompareStringW, RegisterWaitForSingleObject, UnregisterWaitEx, SetFilePointerEx, SetEndOfFile, GetFileType, FlushFileBuffers, GetFileInformationByHandleEx, SystemTimeToFileTime, FileTimeToSystemTime, TzSpecificLocalTimeToSystemTime, MoveFileExW, MoveFileW, CopyFileW, DeviceIoControl, SetErrorMode, GetVolumePathNamesForVolumeNameW, GetTempPathW, SetFileTime, RemoveDirectoryW, GetLogicalDrives, lstrcmpW, GetLastError, GetCurrentThreadId, GetModuleHandleW, GetProcAddress, LocalFree, FormatMessageW, WTSGetActiveConsoleSessionId, ExpandEnvironmentStringsW, CloseHandle, CreateProcessW, CheckRemoteDebuggerPresent, OpenProcess, GlobalAlloc, GlobalUnlock, GlobalLock, GetLocaleInfoW, LoadLibraryW, LoadLibraryA, GlobalSize, GetCurrentProcessId, GetUserDefaultLangID, CreateFileA, CreateFileW, GetFileSizeEx, ReadFile, SetFilePointer, WriteFile, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, WideCharToMultiByte, GetLongPathNameW, GetVolumeInformationW, GetDriveTypeW, GetConsoleWindow, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetFileSize, CompareStringEx, GetCommandLineW, OutputDebugStringW, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, GetSystemTime, GetLocalTime, SetEvent, WaitForSingleObjectEx, CreateEventW, GetSystemDirectoryW, DuplicateHandle, WaitForSingleObject, Sleep, WaitForMultipleObjects, SwitchToThread, CreateThread, GetCurrentThread, SetThreadPriority, GetThreadPriority, TerminateThread, ResumeThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemInfo, ResetEvent, GetDateFormatW, GetTimeFormatW, GetCurrencyFormatW, GetUserDefaultLCID, GetUserPreferredUILanguages, GetFileAttributesExW, QueryPerformanceCounter, QueryPerformanceFrequency, GetTickCount64, GetStartupInfoW, GetModuleFileNameW, GetCurrentDirectoryW, CreateDirectoryW, DeleteFileW, FindClose, FindFirstFileW, GetFileAttributesW, GetFileInformationByHandle, GetFullPathNameW
WTSAPI32.dll	WTSFreeMemory, WTSQuerySessionInformationW
UxTheme.dll	DrawThemeBackground, DrawThemeParentBackground, DrawThemeText, OpenThemeData, GetThemePartSize, GetThemeColor, GetThemeInt, GetThemeEnumValue, GetThemeMargins, GetThemePropertyOrigin, GetWindowTheme, CloseThemeData, GetThemeBackgroundRegion, IsThemeBackgroundPartiallyTransparent, GetThemeBool, SetWindowTheme, IsThemeActive, IsAppThemed, GetCurrentThemeName, GetThemeSysColor, GetThemeTransitionDuration
dwmapi.dll	DwmIsCompositionEnabled, DwmGetWindowAttribute, DwmEnableBlurBehindWindow, DwmSetWindowAttribute
IMM32.dll	ImmGetDefaultIMEWnd, ImmGetVirtualKey, ImmSetCandidateWindow, ImmSetCompositionWindow, ImmNotifyIME, ImmGetOpenStatus, ImmGetCompositionStringW, ImmAssociateContextEx, ImmAssociateContext, ImmReleaseContext, ImmGetContext
USERENV.dll	GetUserProfileDirectoryW
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
NETAPI32.dll	NetApiBufferFree, NetShareEnum
WS2_32.dll	getpeername, WSAAsyncSelect, getservbyport, WSACleanup, WSAStartup, ntohs, WSACloseEvent, getsockname, getsockopt, htonl, htons, WSAGetLastError, send, setsockopt, shutdown, WSASetLastError, WSAIoctl, WSAStringToAddressA, getaddrinfo, freeaddrinfo, inet_ntop, bind, gethostbyname, gethostbyaddr, inet_ntoa, socket, connect, recv, __WSAFDIsSet, closesocket, select, ioctlsocket, inet_addr, getservbyname, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, WSAResetEvent, WSAWaitForMultipleEvents
WINMM.dll	timeGetTime, timeBeginPeriod, timeGetDevCaps, timeEndPeriod, PlaySoundW, timeSetEvent, timeKillEvent
MSIMG32.dll	AlphaBlend, TransparentBlt
CRYPT32.dll	CertEnumCertificatesInStore, CertFindCertificateInStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertCloseStore, CertOpenStore, CertGetCertificateContextProperty
msvcrt.dll	_errno, acosf, isxdigit, strcpy_s, isspace, acos, sinf, cosf, isdigit, floorf, log10, atan2, rand, log, exp, floor, bsearch, atoi, calloc, getenv_s, ceil, sqrt, ftell, fseek, fread, fopen, fclose, getenv, strtol, qsort, strncpy, strncmp, realloc, pow, wcsncmp, tan, sin, cos, atan, strcmp, toupper, fflush, free, malloc, _setjmp, strerror, _local_unwind, __DestructExceptionObject, _amsg_exit, wcsstr, wcschr, __C_specific_handler, strchr, memchr, longjmp, strrchr, _CxxThrowException, strstr, memmove, memcmp, wcsrchr, memset, memcpy, _fileno, _close, _open_osfhandle, _getdrive, fgets, _fseeki64, _read, _write, tolower, __pctype_func, isupper, ___lc_codepage_func, _wcsdup, islower, strcspn, __strncnt, ___mb_cur_max_func, abort, wcsnlen, _callnewh, _initterm, _initterm_e, _set_fmode, wcsncpy_s, wcscpy_s, wcslen, strlen, ldiv, wcscspn, labs, _wtoi, _expand, _msize, wcscat_s, wcscmp, __doserrno, _wcsicmp, wcspbrk, _wmakepath_s, _wsplitpath_s, _wcsupr_s, iswspace, wcscoll, iswalnum, iswalpha, iswdigit, iswprint, towupper, towlower, _wtol, abs, _wcsicoll, _resetstkoflw, _wcslwr_s, clock, _beginthread, _endthread, ferror, strnlen, _time64, _localtime64, _gmtime64_s, strcat_s, strerror_s, setvbuf, _setmode, strspn, _wfopen, raise, signal, wcstol, _mbtowc_l, wctomb_s, _lock, _unlock, _iob, iswctype, feof, ceilf, tanf, strtoul, _hypotf, _localtime64_s, strncpy_s, _wgetenv_s, fputs, _mktime64, _tzset, _beginthreadex, _endthreadex, _lseeki64, asin, rand_s, _waccess, _wchmod, _get_osfhandle, _clearfp, _strtoui64, _wcstoui64, _isatty, _wfullpath, _commode, ?_set_new_mode@@YAHH@Z, _ismbblead, __set_app_type, _XcptFilter, __getmainargs, ___lc_handle_func, _hypot, fgetpos, ?terminate@@YAXXZ, _tzname, _timezone, __argv, __argc, _acmdln, __CxxFrameHandler3
gdiplus.dll	GdipGetImageGraphicsContext, GdipGetImageWidth, GdipGetImageHeight, GdipGetImagePixelFormat, GdipGetImagePalette, GdipGetImagePaletteSize, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCreateBitmapFromScan0, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipDeleteGraphics, GdipDrawImageI, GdipCreateBitmapFromHBITMAP, GdipCreateFromHDC, GdipSetInterpolationMode, GdipDrawImageRectI, GdipCloneImage, GdiplusStartup, GdipFree, GdiplusShutdown, GdipAlloc
OLEACC.dll	LresultFromObject, AccessibleObjectFromWindow, CreateStdAccessibleObject
bcrypt.dll	BCryptGenRandom
USER32.dll	GetWindowRgn, DispatchMessageA, SubtractRect, TranslateMDISysAccel, DefMDIChildProcW, DefFrameProcW, IsClipboardFormatAvailable, CharUpperBuffW, SetMenuDefaultItem, LockWindowUpdate, SetRect, CopyAcceleratorTableW, DestroyAcceleratorTable, CreateAcceleratorTableW, ToUnicodeEx, MapVirtualKeyExW, IsCharLowerW, WaitMessage, PostThreadMessageW, GetComboBoxInfo, ReuseDDElParam, UnpackDDElParam, InsertMenuItemW, TranslateAcceleratorW, PeekMessageA, MsgWaitForMultipleObjects, LoadAcceleratorsW, UnionRect, DrawIcon, CopyIcon, BringWindowToTop, DrawFrameControl, DrawEdge, SetClassLongPtrW, DrawStateW, GetProcessWindowStation, GetUserObjectInformationW, FrameRect, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, LoadMenuW, GetKeyNameTextW, GetMenuDefaultItem, NotifyWinEvent, InvertRect, EnableScrollBar, IsRectEmpty, DrawFocusRect, GetNextDlgGroupItem, IntersectRect, DeleteMenu, ShowOwnedPopups, MapDialogRect, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamW, OffsetRect, SetRectEmpty, SendDlgItemMessageA, CopyImage, InflateRect, FillRect, GetWindowDC, TabbedTextOutW, GrayStringW, DrawTextExW, DrawTextW, PostQuitMessage, IsDialogMessageW, CheckDlgButton, GetSystemMetrics, SystemParametersInfoW, DefWindowProcW, DestroyWindow, GetDC, ReleaseDC, GetSysColor, GetDesktopWindow, GetDoubleClickTime, IsWindow, MessageBeep, GetCaretBlinkTime, UpdateLayeredWindowIndirect, SendMessageW, PostMessageW, AttachThreadInput, CreateWindowExW, IsChild, ShowWindow, UpdateLayeredWindow, SetLayeredWindowAttributes, FlashWindowEx, MoveWindow, SetWindowPos, GetWindowPlacement, SetWindowPlacement, IsWindowVisible, IsIconic, SetFocus, RegisterTouchWindow, UnregisterTouchWindow, IsTouchWindow, GetCapture, SetCapture, ReleaseCapture, GetMenu, GetSystemMenu, EnableMenuItem, GetForegroundWindow, SetForegroundWindow, BeginPaint, EndPaint, GetUpdateRect, SetWindowRgn, InvalidateRect, SetWindowTextW, GetClientRect, GetWindowRect, AdjustWindowRectEx, SetCursor, ClientToScreen, ScreenToClient, GetWindowLongW, SetWindowLongW, GetWindowLongPtrW, SetWindowLongPtrW, GetParent, SetParent, GetWindowThreadProcessId, GetWindow, DestroyCursor, DestroyIcon, MonitorFromPoint, GetAncestor, GetKeyboardLayoutList, RegisterPowerSettingNotification, UnregisterPowerSettingNotification, UnregisterClassW, GetClassInfoW, RegisterClassExW, GetFocus, GetCursorPos, WindowFromPoint, ChildWindowFromPointEx, GetSysColorBrush, LoadImageW, SetMenu, DrawMenuBar, CreateMenu, CreatePopupMenu, DestroyMenu, InsertMenuW, AppendMenuW, ModifyMenuW, RemoveMenu, TrackPopupMenu, GetMenuItemInfoW, SetMenuItemInfoW, MonitorFromWindow, GetMonitorInfoW, EnumDisplayMonitors, LoadIconW, IsHungAppWindow, SetClipboardViewer, ChangeClipboardChain, RegisterClipboardFormatW, GetKeyboardLayout, RegisterWindowMessageW, IsWindowEnabled, CreateCaret, DestroyCaret, HideCaret, ShowCaret, SetCaretPos, FindWindowA, PeekMessageW, IsZoomed, GetKeyState, GetKeyboardState, ToAscii, ToUnicode, MapVirtualKeyW, TrackPopupMenuEx, RegisterClassW, EnumDisplayDevicesW, SetCursorPos, GetCursor, LoadCursorW, CreateCursor, CreateIconIndirect, GetIconInfo, GetCursorInfo, GetClipboardFormatNameW, TrackMouseEvent, GetMessageExtraInfo, GetAsyncKeyState, GetTouchInputInfo, CloseTouchInputHandle, GetWindowTextW, EnumWindows, RealGetWindowClassW, ChangeWindowMessageFilterEx, MessageBoxW, DrawIconEx, TranslateMessage, DispatchMessageW, GetQueueStatus, MsgWaitForMultipleObjectsEx, SetTimer, KillTimer, CharNextExA, RegisterDeviceNotificationW, UnregisterDeviceNotification, GetMenuStringW, GetMenuState, GetSubMenu, GetMenuItemID, GetMenuItemCount, UnhookWindowsHookEx, EnableWindow, GetLastActivePopup, GetMessageW, GetActiveWindow, ValidateRect, SetWindowsHookExW, CallNextHookEx, GetWindowTextLengthW, CharUpperW, GetDlgCtrlID, PtInRect, GetClassNameW, RealChildWindowFromPoint, CheckMenuItem, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, GetMessagePos, GetMessageTime, CallWindowProcW, GetClassInfoExW, IsMenu, BeginDeferWindowPos, DeferWindowPos, EndDeferWindowPos, GetDlgItem, UpdateWindow, SetActiveWindow, RedrawWindow, ScrollWindow, SetScrollPos, GetScrollPos, SetScrollRange, GetScrollRange, ShowScrollBar, SetPropW, GetPropW, RemovePropW, MapWindowPoints, CopyRect, EqualRect, GetClassLongPtrW, GetTopWindow, SetScrollInfo, GetScrollInfo, WinHelpW
GDI32.dll	OffsetRgn, BitBlt, GdiFlush, CreateDIBSection, SelectObject, GetDeviceCaps, GetViewportOrgEx, GetWindowOrgEx, SetPixelV, SetPaletteEntries, ExtFloodFill, PtInRegion, GetBoundsRect, FrameRgn, FillRgn, RoundRect, GetRgnBox, Rectangle, LPtoDP, CreateRoundRectRgn, Polyline, Polygon, CreatePolygonRgn, GetTextColor, Ellipse, CreateEllipticRgn, SetDIBColorTable, StretchBlt, SetPixel, GetTextCharsetInfo, EnumFontFamiliesW, CreateDIBitmap, GetBkColor, RealizePalette, SelectClipRgn, GetRegionData, DeleteObject, DeleteDC, CreateRectRgn, CreateCompatibleDC, CombineRgn, SetLayout, GetSystemPaletteEntries, GetPaletteEntries, GetNearestPaletteIndex, CreatePalette, DPtoLP, SetRectRgn, PatBlt, CreateRectRgnIndirect, ScaleWindowExtEx, ScaleViewportExtEx, OffsetWindowOrgEx, OffsetViewportOrgEx, SetWindowOrgEx, SetWindowExtEx, SetViewportOrgEx, SetViewportExtEx, TextOutW, MoveToEx, SetROP2, SetPolyFillMode, GetLayout, SetMapMode, SelectPalette, ExtSelectClipRgn, SaveDC, RestoreDC, RectVisible, PtVisible, LineTo, IntersectClipRect, GetWindowExtEx, GetViewportExtEx, GetPixel, GetObjectType, GetClipBox, ExcludeClipRect, Escape, CreateSolidBrush, CreatePatternBrush, CreatePen, CreateHatchBrush, SetBkColor, CopyMetaFileW, GetDIBits, ExtTextOutW, SetWorldTransform, SetTextAlign, SetTextColor, SetGraphicsMode, SetBkMode, GetCharABCWidthsI, GetTextExtentPoint32W, GetOutlineTextMetricsW, GetGlyphOutlineW, GetCharABCWidthsFloatW, GetCharABCWidthsW, GetTextFaceW, GetTextMetricsW, RemoveFontMemResourceEx, AddFontMemResourceEx, RemoveFontResourceExW, AddFontResourceExW, GetStockObject, GetFontData, EnumFontFamiliesExW, CreateFontIndirectW, GetObjectW, GetBitmapBits, SwapBuffers, GetPixelFormat, DescribePixelFormat, SetPixelFormat, ChoosePixelFormat, CreateBitmap, CreateDCW, CreateCompatibleBitmap
WINSPOOL.DRV	OpenPrinterW, ClosePrinter, DocumentPropertiesW
ADVAPI32.dll	RegQueryValueExW, RegCreateKeyExW, CryptEnumProvidersW, CryptSignHashW, CryptDestroyHash, CryptCreateHash, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, CryptReleaseContext, CryptAcquireContextW, ReportEventW, RegisterEventSourceW, DeregisterEventSource, BuildTrusteeWithSidW, GetNamedSecurityInfoW, GetEffectiveRightsFromAclW, LookupAccountSidW, MapGenericMask, GetLengthSid, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegQueryInfoKeyW, RegCloseKey, RegOpenKeyExW, RegSetValueExW, SystemFunction036, GetSidSubAuthority, GetSidSubAuthorityCount, FreeSid, DuplicateToken, CopySid, AllocateAndInitializeSid, AccessCheck, OpenProcessToken, GetTokenInformation
SHELL32.dll	SHGetStockIconInfo, ShellExecuteW, SHCreateItemFromIDList, SHCreateItemFromParsingName, SHGetMalloc, SHGetPathFromIDListW, SHGetKnownFolderIDList, SHBrowseForFolderW, Shell_NotifyIconW, Shell_NotifyIconGetRect, CommandLineToArgvW, SHGetKnownFolderPath, SHAppBarMessage, DragFinish, DragQueryFileW, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFileInfoW
ole32.dll	IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, OleLockRunning, CreateStreamOnHGlobal, CoDisconnectObject, OleDuplicateData, CoTaskMemAlloc, StringFromGUID2, CoCreateGuid, CoGetMalloc, ReleaseStgMedium, CoTaskMemFree, DoDragDrop, CoCreateInstance, OleIsCurrentClipboard, OleFlushClipboard, OleGetClipboard, OleSetClipboard, CoInitialize, CoInitializeEx, CoUninitialize, OleUninitialize, OleInitialize, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal
OLEAUT32.dll	SysFreeString, SafeArrayPutElement, SafeArrayCreateVector, SysAllocString, LoadTypeLib, SysAllocStringLen, SysStringLen, SystemTimeToVariantTime, VariantTimeToSystemTime, VariantInit, VarBstrFromDate, VariantChangeType, VariantCopy, VariantClear
SHLWAPI.dll	StrFormatKBSizeW, PathFindFileNameW, PathIsUNCW, PathStripToRootW, StrChrA, PathRemoveFileSpecW, PathFindExtensionW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2024 14:50:06.444077969 CET	49699	80	192.168.2.7	103.235.47.188
Nov 29, 2024 14:50:06.564030886 CET	80	49699	103.235.47.188	192.168.2.7
Nov 29, 2024 14:50:06.568030119 CET	49699	80	192.168.2.7	103.235.47.188
Nov 29, 2024 14:50:08.937055111 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:09.057019949 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:09.057100058 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:09.057274103 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:09.177242994 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:09.192728996 CET	49699	80	192.168.2.7	103.235.47.188
Nov 29, 2024 14:50:10.454047918 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:10.555140018 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:10.574692965 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:10.574768066 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:10.574889898 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:10.598282099 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:10.694797993 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:10.711946964 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:10.832031965 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:12.133790970 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:12.176438093 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:12.268671989 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:12.388814926 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:20.832731009 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:20.952775002 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:22.395237923 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:22.515630960 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:30.957875967 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:31.078047037 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:32.520286083 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:32.640237093 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:41.082860947 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:41.202830076 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:42.645347118 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:42.765362024 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:51.207916021 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:51.328068972 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:50:52.770536900 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:50:52.890461922 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:01.333007097 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:01.452893972 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:02.895633936 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:03.015774012 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:11.458192110 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:11.578335047 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:11.947010994 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:12.067028999 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:13.020615101 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:13.140686989 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:13.690711975 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:13.810817957 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:22.067698956 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:22.187731028 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:23.817509890 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:23.937871933 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:32.192568064 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:32.312496901 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:33.942698002 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:34.062705040 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:42.317642927 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:42.534537077 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:44.067637920 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:44.187558889 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:52.536449909 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:52.656661987 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:51:54.192708969 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:51:54.312752962 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:52:02.661621094 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:52:02.781656981 CET	80	49703	192.197.113.45	192.168.2.7
Nov 29, 2024 14:52:04.317986965 CET	49704	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:52:04.439369917 CET	80	49704	192.197.113.45	192.168.2.7
Nov 29, 2024 14:52:10.849457026 CET	49703	80	192.168.2.7	192.197.113.45
Nov 29, 2024 14:52:10.969443083 CET	80	49703	192.197.113.45	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2024 14:50:06.299245119 CET	64557	53	192.168.2.7	1.1.1.1
Nov 29, 2024 14:50:06.439141035 CET	53	64557	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2024 14:50:06.299245119 CET	192.168.2.7	1.1.1.1	0xfbf7	Standard query (0)	www.baidu.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2024 14:50:06.439141035 CET	1.1.1.1	192.168.2.7	0xfbf7	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2024 14:50:06.439141035 CET	1.1.1.1	192.168.2.7	0xfbf7	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2024 14:50:06.439141035 CET	1.1.1.1	192.168.2.7	0xfbf7	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false
Nov 29, 2024 14:50:06.439141035 CET	1.1.1.1	192.168.2.7	0xfbf7	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49703	192.197.113.45	80	3752	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 14:50:09.057274103 CET	56	OUT	Data Raw: 0d 10 25 13 01 29 02 0b 26 18 01 2b 16 22 2d 19 02 07 1c 19 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 Data Ascii: %)&+"-::::::::::::::::::::::::::::::::=8
Nov 29, 2024 14:50:10.555140018 CET	85	IN	Data Raw: 04 08 05 02 0a 2a 12 09 16 20 0e 03 18 07 2d 2d 16 05 09 07 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 40 9a 03 08 99 ac a8 09 00 b5 Data Ascii: * --::::::::::::::::;:::^:::':::::::=8xcVV@w
Nov 29, 2024 14:50:10.711946964 CET	756	OUT	Data Raw: 04 08 05 02 0a 2a 12 09 16 20 0e 03 18 07 2d 2d 16 05 09 07 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 10 1b 3a 3a 86 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 57 dd 6b 1a 41 10 2f e6 c5 fa 91 e6 c1 87 70 94 52 42 29 a5 b4 7d ea Data Ascii: * --::::::::::::::::;:::::8::::::=8xWkA/pRB)}$P<1'x*iRXH(]f6UE1ag,H#S8@VaBl#_Oumi\|Ep023<q]V`F9NiE}),uw88
Nov 29, 2024 14:50:20.832731009 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:50:30.957875967 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:50:41.082860947 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:50:51.207916021 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:51:01.333007097 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:51:11.458192110 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:51:11.947010994 CET	576	OUT	Data Raw: 2f 0d 1b 24 1f 11 06 15 19 28 0f 22 23 01 1b 15 1f 28 17 10 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a 72 23 3a 3a 32 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 59 4d 4b c3 40 10 05 4f 82 17 0f 3d 94 22 22 45 44 44 c5 83 a7 87 a7 Data Ascii: /$("#(::::::::::::::::2::r#::28::::::=8xYMK@O=""EDDiJPk*R7AL[b)}<=8Zgu\|'@;<.\|Zbor#e@R.rH)N3/?G65-c<HauR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49704	192.197.113.45	80	2352	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 14:50:10.574889898 CET	56	OUT	Data Raw: 00 1c 1d 23 0f 20 0a 08 16 24 02 07 2d 21 1d 17 00 2c 17 12 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 Data Ascii: # $-!,::::::::::::::::::::::::::::::::=8
Nov 29, 2024 14:50:12.133790970 CET	85	IN	Data Raw: 2b 15 2d 2d 00 0d 1b 09 01 2c 0a 0f 07 05 0d 1b 14 22 00 1b 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 40 9a 03 08 99 ac a8 09 00 b5 Data Ascii: +--,"::::::::::::::::;:::^:::':::::::=8xcVV@w
Nov 29, 2024 14:50:12.268671989 CET	754	OUT	Data Raw: 2b 15 2d 2d 00 0d 1b 09 01 2c 0a 0f 07 05 0d 1b 14 22 00 1b 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 34 1b 3a 3a 80 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 57 4b 6b 1b 41 0c 2e ce c5 f5 23 cd c1 87 b0 94 52 42 29 a5 b4 3d f5 Data Ascii: +--,"::::::::::::::::;:::4::8::::::=8xWKkA.#RB)=JewqG6iq!!&5uFI#iF<"<LejXM)%?JF[)rjO>.KX'QAULKFu6vXm85H#1>F
Nov 29, 2024 14:50:22.395237923 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:50:32.520286083 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:50:42.645347118 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:50:52.770536900 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:51:02.895633936 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:51:13.020615101 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 29, 2024 14:51:13.690711975 CET	576	OUT	Data Raw: 21 0a 28 27 20 22 17 0a 08 00 14 2a 05 0a 0b 19 13 2e 01 29 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a 72 23 3a 3a 32 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 59 4d 4b c3 40 10 05 4f 82 17 0f 3d 94 22 22 45 44 44 c5 83 a7 87 a7 Data Ascii: !(' ".)::::::::::::::::2::r#::28::::::=8xYMK@O=""EDDiJPkR7AL[b)}<=8Zgu\|'@;<.\|Zbor#e@R.rH)N3/?G65-c<HauR

Target ID:	0
Start time:	08:50:05
Start date:	29/11/2024
Path:	C:\Users\user\Desktop\360safe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\360safe.exe"
Imagebase:	0x140000000
File size:	26'331'648 bytes
MD5 hash:	DA7D87948ABD48D5BA7F0449A12BAED1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:50:06
Start date:	29/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:50:07
Start date:	29/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	08:50:07
Start date:	29/11/2024
Path:	C:\Program Files\Windows Mail\HoopCity.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Mail\HoopCity.exe"
Imagebase:	0x140000000
File size:	652'760 bytes
MD5 hash:	EF8BDE64E1943C51E2DE2E5CB0182DEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:50:08
Start date:	29/11/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Imagebase:	0x7ff7d8730000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	08:50:08
Start date:	29/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	08:50:09
Start date:	29/11/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Imagebase:	0x7ff7d8730000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	33.9%
Total number of Nodes:	561
Total number of Limit Nodes:	4

Executed Functions

Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211
servicestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00000001800015E5
RtlCopyMemory.NTDLL ref: 0000000180001609
malloc.MSVCRT ref: 0000000180001613
memset.NTDLL ref: 0000000180001648
memset.NTDLL ref: 00000001800016A8
GetModuleFileNameW.KERNEL32 ref: 00000001800016BA
malloc.MSVCRT ref: 00000001800016CD
memset.NTDLL ref: 00000001800016E7
RtlCopyMemory.NTDLL ref: 00000001800016F5
OpenSCManagerW.SECHOST ref: 0000000180001789
EnumServicesStatusExW.ADVAPI32 ref: 00000001800017D0
malloc.MSVCRT ref: 00000001800017E2
memset.NTDLL ref: 00000001800017FC
EnumServicesStatusExW.ADVAPI32 ref: 0000000180001838
CloseServiceHandle.ADVAPI32 ref: 0000000180001845
free.MSVCRT ref: 000000018000184E
CloseServiceHandle.ADVAPI32 ref: 0000000180001856
lstrcmpiW.KERNEL32 ref: 0000000180001881

Strings

Schedule, xrefs: 0000000180001872

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: mallocmemset$CloseCopyEnumHandleMemoryServiceServicesStatus$FileManagerModuleNameOpenfreelstrcmpi
String ID: Schedule
API String ID: 2398014078-2739827629
Opcode ID: 73369f28b7aa16c2a8f2d980950be6b4cc62dc581846ff5ac2f05964a5a53fdb
Instruction ID: aa6e580511663bbfe265cf69901141db5296ca1bdbbd027ad18742ebc6271d7a
Opcode Fuzzy Hash: 73369f28b7aa16c2a8f2d980950be6b4cc62dc581846ff5ac2f05964a5a53fdb
Instruction Fuzzy Hash: 59A18B36705B8886EBA2CB19E4843EDB7A4F78DBC4F44D129EA8903755EF38D648C700

Function 00000001800080F2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
memorynativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000817B
WriteProcessMemory.KERNELBASE ref: 000000018000820C
memset.NTDLL ref: 0000000180008354
RtlCopyMemory.NTDLL ref: 0000000180008375
NtAlpcConnectPort.NTDLL ref: 00000001800083E7

Strings

Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!, xrefs: 0000000180008315
0, xrefs: 000000018000828B

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: Memory$AllocAlpcConnectCopyPortProcessVirtualWritememset
String ID: 0$Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!
API String ID: 2976569565-3460289035
Opcode ID: ba10ff0ad143dc255e677196fa68b063caf770b72bb99dc8d96f21d25adc268a
Instruction ID: c867e681d528c686af98a10dae80cf32f62379cc457a419eb79b0f10cf2203a4
Opcode Fuzzy Hash: ba10ff0ad143dc255e677196fa68b063caf770b72bb99dc8d96f21d25adc268a
Instruction Fuzzy Hash: DA714AB5314AC495EFA5CF24EC687DA6362F788798F809122CE5E07668DF3CC24AC700

Function 0000000180009BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 0000000180009CB9

Strings

@, xrefs: 0000000180009CA1

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 895774fe39c432a9b9607027b095213d7444ba67ac4258149de1e0ad329cd703
Instruction ID: 18fc404becee558648dc3b88deb7cd26e24f8305e57b1969b75a8bcb2d1568be
Opcode Fuzzy Hash: 895774fe39c432a9b9607027b095213d7444ba67ac4258149de1e0ad329cd703
Instruction Fuzzy Hash: 1141F132314B8891EA55CF62FC50BD67764F788784F518116EE9E53B20DF38C61AC740

Function 0000000180005824 Relevance: 3.0, APIs: 2, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.MSVCRT ref: 000000018000587E
NtQuerySystemInformation.NTDLL ref: 00000001800058CD

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: InformationQuerySystemrealloc
String ID:
API String ID: 4089764311-0
Opcode ID: 5b2271d777f21188a61ef38d5ba3f89a884e304cdec4f019188cd102fd86097b
Instruction ID: 427c8884ce8749a78ca3d3c3a8c27aa53bcbca740cc51bc6bbb167420c726022
Opcode Fuzzy Hash: 5b2271d777f21188a61ef38d5ba3f89a884e304cdec4f019188cd102fd86097b
Instruction Fuzzy Hash: 37011BB671498496FF41CFA6EC6879AB362E78DBD4F45D022DE5E47728CE28C1098700

Function 00000001800054D5 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE ref: 000000018000559C

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 19fd5c849ab6d6bb4bfb0504d01622fbd0855da7b3ae26213c64984a74220370
Instruction ID: 1af2901ad9ea5d48a71e1387facd5c3dc420b40515ed1f24f3c52e30eae20cd4
Opcode Fuzzy Hash: 19fd5c849ab6d6bb4bfb0504d01622fbd0855da7b3ae26213c64984a74220370
Instruction Fuzzy Hash: 3A11BFB160478885FB51CFA5EC287CA77A0E389794F55A122DE4E17764CF38C209C704

Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 000000018000194B
GetModuleFileNameW.KERNEL32 ref: 000000018000195D
wcsstr.NTDLL ref: 000000018000196F
SHTestTokenMembership.SHELL32 ref: 000000018000197A
ExitProcess.KERNEL32 ref: 00000001800019A1

Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 00000001800015E5
Part of subcall function 00000001800015B0: RtlCopyMemory.NTDLL ref: 0000000180001609
Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 0000000180001613
Part of subcall function 00000001800015B0: memset.NTDLL ref: 0000000180001648
Part of subcall function 00000001800015B0: memset.NTDLL ref: 00000001800016A8
Part of subcall function 00000001800015B0: GetModuleFileNameW.KERNEL32 ref: 00000001800016BA
Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 00000001800016CD
Part of subcall function 00000001800015B0: memset.NTDLL ref: 00000001800016E7
Part of subcall function 00000001800015B0: RtlCopyMemory.NTDLL ref: 00000001800016F5
Part of subcall function 00000001800015B0: OpenSCManagerW.SECHOST ref: 0000000180001789

ExitProcess.KERNEL32 ref: 000000018000198E

Strings

svchost.exe, xrefs: 0000000180001963

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: memset$malloc$CopyExitFileMemoryModuleNameProcess$ManagerMembershipOpenTestTokenwcsstr
String ID: svchost.exe
API String ID: 4182427535-3106260013
Opcode ID: 49b2746f520621c52c2f6b1137a1e3989a23aebb1405abeb5981ef2b69f05654
Instruction ID: 3d9f09b143253cd0dfd0e6581948ee01b3a167d7ad96167eb3876c00e91661b1
Opcode Fuzzy Hash: 49b2746f520621c52c2f6b1137a1e3989a23aebb1405abeb5981ef2b69f05654
Instruction Fuzzy Hash: 59011631310A4D91FBA6EB25E8A63DA3360BB8DBC5F448015A58E466A5DF3CC34CC740

Function 000000018000AD3E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000ADC2

Strings

@, xrefs: 000000018000ADAC

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 4c3b16f85558678d99978a2826ea59a476f0fecef5113a1fd359f289397e99d2
Instruction ID: 61b381563d42cd6753897e2385543e004ac5681d5a2be3bd69d8f72948d93a77
Opcode Fuzzy Hash: 4c3b16f85558678d99978a2826ea59a476f0fecef5113a1fd359f289397e99d2
Instruction Fuzzy Hash: 7501A9B4315A8C81FB85CBA2EC68BD62320A38DBD4F009216DD0F63B65CE38C20A8340

Function 000000018000A9BE Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000AA41

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 09e9e4a3515dd01a16282e12e76213f45599d8a1d7260836c2c4a2b9d7084a13
Instruction ID: 73e87c2b7c2d5619f46bf5d70013e5ca0052a29b2a2f4204b7040bb4172c38ed
Opcode Fuzzy Hash: 09e9e4a3515dd01a16282e12e76213f45599d8a1d7260836c2c4a2b9d7084a13
Instruction Fuzzy Hash: F9017CB1605A8891FB99CBA1EC64BDA6724E78DB90F409116DE1E53B60DF28C20AC300

Function 0000000180008E30 Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAdjustPrivilege.NTDLL ref: 0000000180008E96

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: AdjustPrivilege
String ID:
API String ID: 3260937286-0
Opcode ID: 04f793066cab408fed6589d09ad0fe1fffaf3af776d1e9cf15d361d7c489d70e
Instruction ID: e4abec9a57f5e6cf389df4562fc0fbd72bc56ee49a3068fea4ec594597959d4a
Opcode Fuzzy Hash: 04f793066cab408fed6589d09ad0fe1fffaf3af776d1e9cf15d361d7c489d70e
Instruction Fuzzy Hash: 8FF04F3A321B8C81EA82DB66EC657953BA0F34CB94F419412ED9E53734CE3DC2098B00

Function 0000000180005A0D Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessId.KERNELBASE ref: 0000000180005A81

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: Process
String ID:
API String ID: 1235230986-0
Opcode ID: 50f958970ebb76354ffea4ce1ff0be6425b08e38d9476523f750ab82be1909a1
Instruction ID: 66fdd7e8d1beca02ada1f235eec6f3e8d8bb28daf1441ad2ec8515806f49a421
Opcode Fuzzy Hash: 50f958970ebb76354ffea4ce1ff0be6425b08e38d9476523f750ab82be1909a1
Instruction Fuzzy Hash: 6501A2B2214A0896EA80CB59E8603AA7371F789BD8F509122EF4F83734CF29C216C700

Function 000000018000AF22 Relevance: 1.5, APIs: 1, Instructions: 31
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000AF9F

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ccffb0519a1b9c89baffc0360623a97ea4d16e3d4b406d7972a077802599c2a0
Instruction ID: 7ff3df5bac33cfd624bc324d8d31064a5bf78969ddbca9639b8b43afe07be034
Opcode Fuzzy Hash: ccffb0519a1b9c89baffc0360623a97ea4d16e3d4b406d7972a077802599c2a0
Instruction Fuzzy Hash: E301E8B5315A8891FB95CB92EC98386A762A78DBD0F41C116DD1E57768CE29C109C344

Function 000000018000A8B2 Relevance: 1.5, APIs: 1, Instructions: 30
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000A932

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3d4ad1e4b773f5052256976749b827bf9fceb0f49c8bdd15a119f946dfcf417c
Instruction ID: f53447897d0afbce070d8cf6422c94e204f60e1333671bc7201952eebc3bc3bb
Opcode Fuzzy Hash: 3d4ad1e4b773f5052256976749b827bf9fceb0f49c8bdd15a119f946dfcf417c
Instruction Fuzzy Hash: D70119F5305A8891FB91CB56EC98786A762E78EBD4F41C112CD5E47768CE3DC1098340

Function 000000018000B100 Relevance: 1.5, APIs: 1, Instructions: 30
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000B17E

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6e2161141dd83c3af048edcd6057f7ac8833ef0ae4a502c593557384e899631b
Instruction ID: 24a5fe1f65a8ff2b3f9b336ffdde7a29a110ba51538feb9284479ebd75def28f
Opcode Fuzzy Hash: 6e2161141dd83c3af048edcd6057f7ac8833ef0ae4a502c593557384e899631b
Instruction Fuzzy Hash: 40F03CF5315A8991FF91CB56EC58786A722F789BD4F41D1128D1E57768CE2DC2098380

Non-executed Functions

Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 000000018000103C
malloc.MSVCRT ref: 00000001800010C9
RtlCopyMemory.NTDLL ref: 00000001800010EB
RtlCopyMemory.NTDLL ref: 0000000180001100
memset.NTDLL ref: 00000001800011B4
wsprintfW.USER32 ref: 00000001800011D5
CreateFileW.KERNEL32 ref: 0000000180001203
GetLastError.KERNEL32 ref: 0000000180001212
WriteFile.KERNEL32 ref: 0000000180001233
GetLastError.KERNEL32 ref: 000000018000123D
CloseHandle.KERNEL32 ref: 0000000180001246
Sleep.KERNEL32 ref: 0000000180001251
memset.NTDLL ref: 0000000180001266
wsprintfW.USER32 ref: 0000000180001287
CreateFileW.KERNEL32 ref: 00000001800012B5
GetLastError.KERNEL32 ref: 00000001800012C4
WriteFile.KERNEL32 ref: 00000001800012E5
GetLastError.KERNEL32 ref: 00000001800012EF
CloseHandle.KERNEL32 ref: 00000001800012F8
Sleep.KERNEL32 ref: 0000000180001303
memset.NTDLL ref: 0000000180001318
wsprintfW.USER32 ref: 0000000180001339
CreateFileW.KERNEL32 ref: 0000000180001367
GetLastError.KERNEL32 ref: 0000000180001376
WriteFile.KERNEL32 ref: 0000000180001393
GetLastError.KERNEL32 ref: 000000018000139D
CloseHandle.KERNEL32 ref: 00000001800013A6
Sleep.KERNEL32 ref: 00000001800013B1
VirtualAlloc.KERNEL32 ref: 00000001800013D4
RtlCopyMemory.NTDLL ref: 00000001800013F0
CreateThread.KERNEL32 ref: 000000018000140C
VariantInit.OLEAUT32 ref: 0000000180001441
SysAllocString.OLEAUT32 ref: 00000001800014A3
GetLastError.KERNEL32 ref: 00000001800014BE
memset.NTDLL ref: 00000001800014D6
wsprintfW.USER32 ref: 00000001800014F4
memset.NTDLL ref: 000000018000152F
RtlCopyMemory.NTDLL ref: 0000000180001544
CreateThread.KERNEL32 ref: 0000000180001562

Strings

%s\%s, xrefs: 00000001800011C7, 0000000180001279, 000000018000132B, 00000001800014E9
\Microsoft\Windows, xrefs: 000000018000149C

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: ErrorLast$File$Creatememset$CopyMemorywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
String ID: %s\%s$\Microsoft\Windows
API String ID: 252973232-4137575348
Opcode ID: 25a54c13e9a735a875ead524e7afe43dc856ba856741995bc76f1784370f9354
Instruction ID: 8444b12730cc2e4b24a21f92cbaba62370983439c4159096c57ec2b4dd869c75
Opcode Fuzzy Hash: 25a54c13e9a735a875ead524e7afe43dc856ba856741995bc76f1784370f9354
Instruction Fuzzy Hash: 85F17932600B89D5F7A2DF65E8157DD37A0FB8DB98F448215EE9A57A94EF38C209C700

Function 0000000180010E00 Relevance: 57.8, APIs: 26, Strings: 6, Instructions: 1836stringCOMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 0000000180010E4D
strcpy_s.MSVCRT ref: 0000000180010EDA
strcpy_s.MSVCRT ref: 0000000180010F5C
strcpy_s.MSVCRT ref: 0000000180010F7F

Strings

, xrefs: 0000000180012196
1#IND, xrefs: 0000000180010F52
1#SNAN, xrefs: 0000000180010F75
1#INF, xrefs: 0000000180010FBB
1#QNAN, xrefs: 0000000180010F98
, xrefs: 000000018001260E

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: strcpy_s$fegetenv
String ID: $ $1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 3803379885-3106414055
Opcode ID: a264154010b335dcc8e77e63ee817b6bf3ede139aa726cf6f4ca62368f08a2f6
Instruction ID: 7d45f6c654c956143fd9d26eaeeaae5a9dbd0b7ac36d89918087f78a63c1df12
Opcode Fuzzy Hash: a264154010b335dcc8e77e63ee817b6bf3ede139aa726cf6f4ca62368f08a2f6
Instruction Fuzzy Hash: D0F2F372614A898FE7AACE69D4407ED77A1F38C7C9F109125EE1657B84EF34CA18CB40

Function 0000000180001A10 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32 ref: 0000000180001A3B
CLSIDFromString.COMBASE ref: 0000000180001CFA
IIDFromString.COMBASE ref: 0000000180001D0D
CoCreateInstance.COMBASE ref: 0000000180001D2C

Strings

Y:\:, xrefs: 0000000180001AD8
X:^:, xrefs: 0000000180001AE8
X:[:, xrefs: 0000000180001BAA
:Y:, xrefs: 0000000180001C3F
A::, xrefs: 0000000180001A4F
^:G:, xrefs: 0000000180001B44
:_:, xrefs: 0000000180001AF0
:, xrefs: 0000000180001CA0
\:[:, xrefs: 0000000180001B9B
Y::, xrefs: 0000000180001C46
\:^:, xrefs: 0000000180001C4D

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: FromString$CreateInitializeInstance
String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
API String ID: 511945936-2205580742
Opcode ID: 042c554cad8af894e656224a2f31c9785861aedbae0dc43e1f823e5507c20a61
Instruction ID: bb9760e412e0da7a9fa856a0e12bed8815f139b06612a008ac7157658cf1ee11
Opcode Fuzzy Hash: 042c554cad8af894e656224a2f31c9785861aedbae0dc43e1f823e5507c20a61
Instruction Fuzzy Hash: CA91ED73D18BD4CAE311CF7994016ADBB70F799348F14A249EA946A919EB78E684CF00

Function 0000000180001D60 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 227memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000180001DA5
SysAllocString.OLEAUT32 ref: 0000000180001DE4
SysAllocString.OLEAUT32 ref: 0000000180001DF0
IIDFromString.COMBASE ref: 0000000180001F31
SysAllocString.OLEAUT32 ref: 0000000180001F61
SysAllocString.OLEAUT32 ref: 0000000180001F71
VariantInit.OLEAUT32 ref: 0000000180001FEA
SysAllocString.OLEAUT32 ref: 0000000180001FF7

Strings

{4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}, xrefs: 0000000180001F26
SYSTEM, xrefs: 0000000180001DD9

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: String$Alloc$FromInitVariant
String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
API String ID: 929278495-107290059
Opcode ID: 614b72df1dcfdb13e6e7e9f40b98ec6a16ace2cc5bef3ea5268e0735b5c70f43
Instruction ID: ea068f2d577331d4d34f7ce72b56dd1e3d0ea9ea0467babe62b28c7e472ad91b
Opcode Fuzzy Hash: 614b72df1dcfdb13e6e7e9f40b98ec6a16ace2cc5bef3ea5268e0735b5c70f43
Instruction Fuzzy Hash: 36B1CF36B00B588AEB40DFAAD88429D77B1FB88F99F558026DE0E57B28DF35C149C300

Function 000000018000F6D0 Relevance: 15.1, APIs: 10, Instructions: 88COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000018000F6FB
memset.NTDLL ref: 000000018000F750
RtlCaptureContext.NTDLL ref: 000000018000F76C
RtlLookupFunctionEntry.NTDLL ref: 000000018000F784
RtlVirtualUnwind.NTDLL ref: 000000018000F7C2
IsDebuggerPresent.KERNEL32 ref: 000000018000F803
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018000F80D
UnhandledExceptionFilter.KERNEL32 ref: 000000018000F818
GetCurrentProcess.KERNEL32 ref: 000000018000F830
TerminateProcess.KERNEL32 ref: 000000018000F83E

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: ExceptionFilterPresentProcessUnhandled$CaptureContextCurrentDebuggerEntryFeatureFunctionLookupProcessorTerminateUnwindVirtualmemset
String ID:
API String ID: 2775880128-0
Opcode ID: 7dc4868741350a1ed7cc7bec7e1247bba303b169c19a5f1790be2632382eac85
Instruction ID: ba24e1ffb11a22a24deea4117bc60841cceb276e4587d3da583010efd0501156
Opcode Fuzzy Hash: 7dc4868741350a1ed7cc7bec7e1247bba303b169c19a5f1790be2632382eac85
Instruction Fuzzy Hash: 48413032A14F858AE751CF64E8513EE73B0F79D748F009229EB8D46A59EF78C298C704

Function 000000018000D484 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000018000D4A0
memset.NTDLL ref: 000000018000D4C4
RtlCaptureContext.NTDLL ref: 000000018000D4CD
RtlLookupFunctionEntry.NTDLL ref: 000000018000D4E7
RtlVirtualUnwind.NTDLL ref: 000000018000D528
memset.NTDLL ref: 000000018000D55B
IsDebuggerPresent.KERNEL32 ref: 000000018000D57C
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018000D59D
UnhandledExceptionFilter.KERNEL32 ref: 000000018000D5A8

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 7f20e88019a3dea1c98dff80d091ead56c2a804e3afe9e7b797dc77bfc3d9804
Instruction ID: f0d81ebf82978fd56193d97fecd2d6932c3beb8f3f5aa989cc62be3c5867452e
Opcode Fuzzy Hash: 7f20e88019a3dea1c98dff80d091ead56c2a804e3afe9e7b797dc77bfc3d9804
Instruction Fuzzy Hash: 4C314172205F8886EBA1DF64E8413DD7364F788784F44842AEA4E47B94DF38C64CC714

Function 0000000180007550 Relevance: 9.2, Strings: 7, Instructions: 485COMMON

Download Yara Rule

Strings

TpAllocAlpcCompletion, xrefs: 0000000180007A0A
\RPC Control\, xrefs: 0000000180007729
NtAlpcSetInformation, xrefs: 0000000180007B33
NtAlpcCreatePort, xrefs: 00000001800078E1
?Vse4", xrefs: 000000018000759B
ntdll.dll, xrefs: 000000018000780A
NtAlpcConnectPort, xrefs: 0000000180007C5F

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID: ?Vse4"$NtAlpcConnectPort$NtAlpcCreatePort$NtAlpcSetInformation$TpAllocAlpcCompletion$\RPC Control\$ntdll.dll
API String ID: 0-3440571002
Opcode ID: f2272cd02c527ba66290fdd0511b9d73e927a503c006ae6aff4811d714ae7238
Instruction ID: db531cbe6c7215b7beac89914ea0d5b623cdbc859f3fd4c8ffed9520062f2ae3
Opcode Fuzzy Hash: f2272cd02c527ba66290fdd0511b9d73e927a503c006ae6aff4811d714ae7238
Instruction Fuzzy Hash: F6121BF5721A9895FE41CBB9EC687D66362F78D798F81A113CE1E57624DE38C20AC340

Function 000000018000E297 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 306COMMON

Download Yara Rule

APIs

wctomb_s.MSVCRT ref: 000000018000E2FD

Strings

0, xrefs: 000000018000E627

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: wctomb_s
String ID: 0
API String ID: 2215178078-4108050209
Opcode ID: 9590b62b1cdf5e2e9ba92ac2b374c7ec93504cf439e0da941adb929f049209f1
Instruction ID: 669014fd47de581cbd80178cec617e364a3d39619997f68f623dd0f90899f060
Opcode Fuzzy Hash: 9590b62b1cdf5e2e9ba92ac2b374c7ec93504cf439e0da941adb929f049209f1
Instruction Fuzzy Hash: 46D1A272204BC886EBA6CF28D1403AD77A1F34ABD8F649215EE4D57794DF35CA8AC740

Function 00000001800101C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 241COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00000001800101D5

Strings

-, xrefs: 0000000180010470
localeconv, xrefs: 00000001800105B8

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: _errno
String ID: -$localeconv
API String ID: 2918714741-4132363106
Opcode ID: e614fc95d6bfa4c868340b5e87e00c9b46572d26c8992a6dcab7d30d20e0c0dc
Instruction ID: bbbc25cdd6ce2d31a73f7a7a53944f50a293d9bcd6a7e264c5b47ba25a2fc233
Opcode Fuzzy Hash: e614fc95d6bfa4c868340b5e87e00c9b46572d26c8992a6dcab7d30d20e0c0dc
Instruction Fuzzy Hash: FE911772704AC886EBA28B14A5447EA7761F359BE4F248211EBD947BC5DFBCC649C700

Function 000000018000F890 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018000F8BD

Strings

gfffffff, xrefs: 000000018000FB76

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: _errno
String ID: gfffffff
API String ID: 2918714741-1523873471
Opcode ID: 259df5ac207aadec5ffe8e6be151dc588cda67961492783d10a339cafb3c06fb
Instruction ID: 2c8cc9d6f96ba83e52b87df3f6bcb5a0f79e46ee7c8db7fa2b845fdc616ab7e2
Opcode Fuzzy Hash: 259df5ac207aadec5ffe8e6be151dc588cda67961492783d10a339cafb3c06fb
Instruction Fuzzy Hash: D891E4B27057C986EBA2CB69E1503F97B90A7697C0F048032DB8947BC1DF7CC259A701

Function 0000000180003DBC Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

C:\windows\, xrefs: 00000001800040A8
WinSta0\Default, xrefs: 000000018000409C
taskmgr.exe, xrefs: 0000000180003F94
C:\windows\system32\, xrefs: 0000000180003F43

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$taskmgr.exe
API String ID: 0-638001070
Opcode ID: c5207e7b4b0b86d756437afbad151232ef68d88f78f63fe6f242a49dccbc7778
Instruction ID: ff44758d759536888d3377b4f2813c100e0f227a2d98dccd77a8a15a1d04d7e0
Opcode Fuzzy Hash: c5207e7b4b0b86d756437afbad151232ef68d88f78f63fe6f242a49dccbc7778
Instruction Fuzzy Hash: C58110F6760A8942FF91CBA9FCA97D66322F74A7D8F40A112CD1E57624DE38D209C704

Function 0000000180003AE0 Relevance: 5.1, Strings: 4, Instructions: 116COMMON

Download Yara Rule

Strings

winver.exe, xrefs: 0000000180003BE1
C:\windows\, xrefs: 0000000180003C45
WinSta0\Default, xrefs: 0000000180003C39
C:\windows\system32\, xrefs: 0000000180003B90

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$winver.exe
API String ID: 0-1160837885
Opcode ID: 93a2b0484ba751841bc05e7f2adad842797d3a80603c1b654e7f384ed92a7746
Instruction ID: 3f1cfa4d575335075bd3c48e5055bf53680ae5065dce3768eae8732111aa9669
Opcode Fuzzy Hash: 93a2b0484ba751841bc05e7f2adad842797d3a80603c1b654e7f384ed92a7746
Instruction Fuzzy Hash: A84170B2324A8892FF51CB69FCA97966321F389BC8F4091169D5E47624DF3CC209C704

Function 0000000180003220 Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

0, xrefs: 0000000180003282
p, xrefs: 00000001800032F3

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID: 0$p
API String ID: 0-2059906072
Opcode ID: a7af8e94d9d122363c9ba56be279431bec711b8c03149f6ef1f085cd7ee20895
Instruction ID: f316587ab43161bc0d965a4e9064b50efd4ab337fd6d027ea46d3ae0e774efcc
Opcode Fuzzy Hash: a7af8e94d9d122363c9ba56be279431bec711b8c03149f6ef1f085cd7ee20895
Instruction Fuzzy Hash: DE31F076645A8982EB51CF56EC94BD62320F38DBD8F429212ED5E0BB24EF38C15AC700

Function 000000018000ECE0 Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018000ED2D

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 088da372acf342deeb9aaef58484ed788e46ecb761bacfe233fb86b787f10960
Instruction ID: 90a0499567bef4520dec738d2bc1efd56d1f1741844553329cca12d79335cddb
Opcode Fuzzy Hash: 088da372acf342deeb9aaef58484ed788e46ecb761bacfe233fb86b787f10960
Instruction Fuzzy Hash: F281C672305A888AE7A6CF29D4503A973A5F74DBC8F148122EF4D67399DF35CA4AC340

Function 000000018000BEB0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

LaGOl56, xrefs: 000000018000BEFC

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID: LaGOl56
API String ID: 0-375277488
Opcode ID: edffe9ef7f78a61489372e6522847bd1819d8db715b60a1dc90c2952b104cf7f
Instruction ID: d3257a9512b94aa5c3a30b8927bef16899f8b480e1152b34fbd2b4f0f67e6ca9
Opcode Fuzzy Hash: edffe9ef7f78a61489372e6522847bd1819d8db715b60a1dc90c2952b104cf7f
Instruction Fuzzy Hash: EA41E6B2314E48D2DF44CF15E854B9A7365F758BC8F658216DA8E87728EF39C21AC700

Function 0000000180002C8A Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

201ef99a-7fa0-444c-9399-19ba84f12a1a, xrefs: 0000000180002DAE

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID: 201ef99a-7fa0-444c-9399-19ba84f12a1a
API String ID: 0-3963691810
Opcode ID: 548d5f5d09b7bb71e88ed0911d28de3462597b3670c4aedf013fb6f8f4e188b3
Instruction ID: 2e4d1bfc098e70fecb24e6cd4a49aaacbc8653426ce865a339d261f1d8c382e2
Opcode Fuzzy Hash: 548d5f5d09b7bb71e88ed0911d28de3462597b3670c4aedf013fb6f8f4e188b3
Instruction Fuzzy Hash: 224141B6755B8947EF89CB64EDA63AB2321EB8D7A8F419516C91F43761DE38C209C300

Function 0000000180002526 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

ncalrpc, xrefs: 00000001800025DE

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID: ncalrpc
API String ID: 0-2983622238
Opcode ID: ec491b8541e5ba87cc55742f637b6646835075508169ec297f56b02c3a6529be
Instruction ID: 188c8e747a7d88b86d36049d4f8611b16dc2ca68c56705edde0c2f8f15fb9419
Opcode Fuzzy Hash: ec491b8541e5ba87cc55742f637b6646835075508169ec297f56b02c3a6529be
Instruction Fuzzy Hash: 48314FB2720A5842EF85CF69ECA87966762F78D7D4F81D522CE1E47624DF38C2098300

Function 00000001800069E0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40544349071ee85384a1097bfe23c0cbcca023351ab990b872ef2eee0ae8b1d0
Instruction ID: 5ebbf2754306c0b60d6152e30984c4b2a34126c98b08edfc288c299e3dba13eb
Opcode Fuzzy Hash: 40544349071ee85384a1097bfe23c0cbcca023351ab990b872ef2eee0ae8b1d0
Instruction Fuzzy Hash: 4C410472B11A5886EB10CB65F815B9A73A8F798794F404025EF9E47B68EF3CC156CB00

Function 000000018000469C Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd5d524ca4281c96afd2f1c5b5990144d8f5f497f1f2e0554f370cd08c41020
Instruction ID: 5ce47defba9ad22839667c52f00c55d8e2e7d4e0bfcac176853e5dfddf30a043
Opcode Fuzzy Hash: dcd5d524ca4281c96afd2f1c5b5990144d8f5f497f1f2e0554f370cd08c41020
Instruction Fuzzy Hash: 7551FBEA650A8942EF91DBA9FCA97D72322F74A7D4F40E112CD2E57718DE38D209C704

Function 00000001800096E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955f7af3fa6c4d2fa96144ec7ae0311ee617ac675d3b737044756a099a389f3c
Instruction ID: 5fa998d76dde1407050f089c5c97169da02c15a811c501e4416ba08492098967
Opcode Fuzzy Hash: 955f7af3fa6c4d2fa96144ec7ae0311ee617ac675d3b737044756a099a389f3c
Instruction Fuzzy Hash: B151B132715B8896EB50CB65F95478A77A5F3887C4F55812AEE8E83B28EF3CD119C700

Function 0000000180008EC0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df93bf9fb1fa2b87573994d8dfd09ce25e71a23708a3cb17e2d3b575460a5204
Instruction ID: 7c169c72a3cd49dadeb4283ec1d10796d64338e09e8f27c9aa23a8ed8d1d8600
Opcode Fuzzy Hash: df93bf9fb1fa2b87573994d8dfd09ce25e71a23708a3cb17e2d3b575460a5204
Instruction Fuzzy Hash: 9251C2B5710A9992EA50CFA5EC687D66321F789BD4F40E126DE1F67B24DE38C51AC300

Function 000000018000B1AC Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13a1cb9ad1de499c3aa4824b5acdf7727e80b8a1733a0aec0b37f9f565618ab
Instruction ID: b4d02f0d51c95df83c98d355d25a743b1602a7ff861fa07585bc0084ab603ac1
Opcode Fuzzy Hash: b13a1cb9ad1de499c3aa4824b5acdf7727e80b8a1733a0aec0b37f9f565618ab
Instruction Fuzzy Hash: 3C41EFB3715A4995EA15CF61EC5478AB7A5F3887D8F44D126EE4E4BA28DF38C24AC300

Function 0000000180006AB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f12bbec3ef4c21acf85d16b0a115e4a7e0493bc861de78a5f35de5683c3d02
Instruction ID: 6460ceb4c15a3ed5359fcdf969113481d425c3230f3a87ff8fc2c19d9e9b03ef
Opcode Fuzzy Hash: 34f12bbec3ef4c21acf85d16b0a115e4a7e0493bc861de78a5f35de5683c3d02
Instruction Fuzzy Hash: 2C419F76B54A8886EB50CB65F854B9AB365F78CBC8F408126DE4E53B28DE3DC216C740

Function 000000018000C2D0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b297dc0b12863ea5633e0394b25c6481c274db880565e99598a358100e8291a
Instruction ID: 953ac995840ab945eafaf149798731085ccbd96a3d42a2912d3ad9ebdee2443a
Opcode Fuzzy Hash: 7b297dc0b12863ea5633e0394b25c6481c274db880565e99598a358100e8291a
Instruction Fuzzy Hash: 9841F1B2318F4996DB50CFA5E8557AA7B61F348788F84801ADE8F47624DF38C12AC340

Function 000000018000C6F0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfa6a913d7c4ff124cb3aa69afb99d83595d1418767386c9633c732c9792808
Instruction ID: 5850766affd1dc1006efbcf663fcd044a5b0c42a56f90ee8d84e9915f07db0dd
Opcode Fuzzy Hash: 4cfa6a913d7c4ff124cb3aa69afb99d83595d1418767386c9633c732c9792808
Instruction Fuzzy Hash: 324160B2304F84D6EB45CF55E88478AB7A6F3447C4F94C126EA8D5BA28DF78C15AC740

Function 000000018000B620 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9698306a213f8c13e5c744f7ec092e0b35f2306cd29e4199544cb17bea7b188
Instruction ID: b47c33fa182b2b6e406ff42d742b16e34a2be846b06d7cc3c47bcc5ad0dd5191
Opcode Fuzzy Hash: e9698306a213f8c13e5c744f7ec092e0b35f2306cd29e4199544cb17bea7b188
Instruction Fuzzy Hash: 064124B2714A49E2DB10CF25EA9878E7762F3443C4F459206EE4E97238DF39C225C700

Function 000000018000C370 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4257d8eece49b07830ae728c934a0f990658fde052998d00cffd0e02d3b839
Instruction ID: 3a2a54fd14ba3c9112fcd9d06e2a83f2faa874cf33c3fc19e07575f54e4b3df5
Opcode Fuzzy Hash: 1d4257d8eece49b07830ae728c934a0f990658fde052998d00cffd0e02d3b839
Instruction Fuzzy Hash: A931B2B2754A8987DF44CFA4E8657EA3B21F344798F84911BDA5F47A24CE78C11AC341

Function 000000018000435B Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0daa0753ebf70cac3f1989174038f561a0c5660f626df88f0a2939a5c04a6c
Instruction ID: 2a1ed074ffd7e39de9dbbb892b36c7f1f966cdf4f6d65e5bdce06b4abba8519a
Opcode Fuzzy Hash: ae0daa0753ebf70cac3f1989174038f561a0c5660f626df88f0a2939a5c04a6c
Instruction Fuzzy Hash: 203123FA655B8892EA51CBB8FC697C72322F74E7D4F81A502CE1E67614DE38D209C340

Function 000000018000947B Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73174d58ad3160897c5a64570d9003ffaf5d087b7b9248789bc756d00bdab3d
Instruction ID: 942c5937e91a832c3798b686b0af252ed0c82f0c3b6d5ce8abc2cb51314499f8
Opcode Fuzzy Hash: b73174d58ad3160897c5a64570d9003ffaf5d087b7b9248789bc756d00bdab3d
Instruction Fuzzy Hash: C1311BB5315A8481EE85CFA6ECA93A66362FB88BD4F50D116CE1F67B74CE38C1058304

Function 0000000180004153 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f56db044ec06fe9913ba76ce3c2bf12016da8f8da552b3796bd1813fef10e1
Instruction ID: 0f0f3af555497e93059dc6571c7412b3cf3e20d7676d806d74ba2686562364a5
Opcode Fuzzy Hash: f0f56db044ec06fe9913ba76ce3c2bf12016da8f8da552b3796bd1813fef10e1
Instruction Fuzzy Hash: 4D215EF635599842EA91CBA4ECB87972312E749BD8F81E112CD1F57758DE38C209C304

Function 0000000180004CB0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a006de8f1fa7d243e3a9e9c69abcd2beb43e2c5219531642d7352cf58e783ff9
Instruction ID: 0398998c4114ad5c5b94ddcd0fb1f602503181105fadb351b64ed8fd47976dc8
Opcode Fuzzy Hash: a006de8f1fa7d243e3a9e9c69abcd2beb43e2c5219531642d7352cf58e783ff9
Instruction Fuzzy Hash: 3821E4B2714A8885EA81CF66EC28B9A7365F78CBD8F418125DE4E47724CE3CC50AC700

Function 000000018000B280 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24fe960c443452bf0ca02dabf0d677333f7eabc8cd444734c87d950e4602ee01
Instruction ID: ab0ffabe3359154a9a054265eb67cdc921f16df733aa97232a2a79013b0c5846
Opcode Fuzzy Hash: 24fe960c443452bf0ca02dabf0d677333f7eabc8cd444734c87d950e4602ee01
Instruction Fuzzy Hash: 9031B1F2705A49DAEB10CF60E85478AB3A5F3447C8F48E126EA5E47A2CDF78C115C300

Function 0000000180006F70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37cd48eb86cffa3e912c72a7c123d50d0eaa709cb8e30086e54480a646824998
Instruction ID: cac3c35be222ff7eef943cb234c43953059dc6fb381ac3a95ed8d8d7d73f5086
Opcode Fuzzy Hash: 37cd48eb86cffa3e912c72a7c123d50d0eaa709cb8e30086e54480a646824998
Instruction Fuzzy Hash: 8D21D5B2754B5892DA458FB6EC64BCA3765E759BD4F419122EE0E57324EE38CA06C300

Function 000000018000B6C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64c56d490765ec9f9d46dfeab995d0ba34f0f31c8983dff4219531d9fbfdcd4
Instruction ID: a6e6edd21a1a0c722a2499f339a184c92f9c9d010025383cad1e5f5c62af46d3
Opcode Fuzzy Hash: d64c56d490765ec9f9d46dfeab995d0ba34f0f31c8983dff4219531d9fbfdcd4
Instruction Fuzzy Hash: C731A2B2724A49E6DB11CF64D65878E7B62F3443D4F49A206DB0E97638EF39C16AC700

Function 0000000180003833 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e217b24b7fe48aa955040255649620cb74da878ba68ae1136ca8d1af41fc62
Instruction ID: 9760054fc79c478af4dd39252b2b751102fb23d7a1b59b1fbf3b89b659a09381
Opcode Fuzzy Hash: 71e217b24b7fe48aa955040255649620cb74da878ba68ae1136ca8d1af41fc62
Instruction Fuzzy Hash: 40214DB67A1A5982EB85CFB5ECA87972321E74EBD8F45E112CD1E17720DE28D6098300

Function 0000000180002666 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2d5e05eff172b05dc87084c5523a4ecc04e86c45d5e3728672f408956a8a85
Instruction ID: a1eb8e041cf6125ce916b131f004215fd0dc4e0823b2c10b9e6b369a0edfe964
Opcode Fuzzy Hash: 4d2d5e05eff172b05dc87084c5523a4ecc04e86c45d5e3728672f408956a8a85
Instruction Fuzzy Hash: C72151F6720A9883EB81CFB4E8A87D62761F74D794F81A413CE1D47620EE39C209C300

Function 00000001800044C1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2500243ea94212a5fd507f9d99e92e0f8a02bad23cbb205cd462231196f1815e
Instruction ID: 4e70c7cdf9cf98d4b06827ce81096b38f4c6550eb1c3702f94efa454c28f36ae
Opcode Fuzzy Hash: 2500243ea94212a5fd507f9d99e92e0f8a02bad23cbb205cd462231196f1815e
Instruction Fuzzy Hash: 401181A371198C46FA92DBB8FD69BD76322E74C3A5F81A0129D1E07A15DE38C24AC704

Function 0000000180002A19 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86626058d538872f07d77dda5097a3ecc31de5526fa1fad0316364cda8ebfd5b
Instruction ID: 8a330624d2ba0a6fed1f57350598af27946c66593bd366883eb837f41dd1fc67
Opcode Fuzzy Hash: 86626058d538872f07d77dda5097a3ecc31de5526fa1fad0316364cda8ebfd5b
Instruction Fuzzy Hash: 19214DF6711A9882EB45CF75ECA8BD663A2E78DBD4F42D5138D1E4B624DE38C209C300

Function 0000000180003717 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e99ab8dcbc8e63c5f9103b9d6fa0c8fb216801dfa18011b9ec8e283faf2431
Instruction ID: 9fa600c9fe03323da2054d219e5722fb772a2560d15068f858cbbefadb7b799e
Opcode Fuzzy Hash: 68e99ab8dcbc8e63c5f9103b9d6fa0c8fb216801dfa18011b9ec8e283faf2431
Instruction Fuzzy Hash: 7E214CA63A1A4986EB41CF65EC94B9A2321E78DBD8F01A112CD1E07728DF3CD209C300

Function 000000018000290C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445f07d13ce021b97b4416e3be73bb395122839d113d106c3414c649594de6e0
Instruction ID: 2b6b2132a0a2e07f8bd3ee14bfededbc3de52b34ac7b1e2e4bc17d2910e7999e
Opcode Fuzzy Hash: 445f07d13ce021b97b4416e3be73bb395122839d113d106c3414c649594de6e0
Instruction Fuzzy Hash: 4D215EB6614B8483EB41CBA5E8993C663A1FB49794F409506DA5E57A24EF38D209C300

Function 0000000180002170 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15019dd00c72fdc341cb36ccde0155ea6700116316576b32820349e0d845168f
Instruction ID: 887f6319f8645ccbc92e08c78cc143592e8fc5d0258ff08adeb588e841213fec
Opcode Fuzzy Hash: 15019dd00c72fdc341cb36ccde0155ea6700116316576b32820349e0d845168f
Instruction Fuzzy Hash: 1B11E7A361059C82F655CFE6ACA9F962325E34ABD8F01D123DD6E5B714CE39C10AC300

Function 000000018000360B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3fb5a9eeac10a3300f6d077840e530f46ebbf9fe4c016881d133850f8f17c8
Instruction ID: a36b7cc2c4af6d59f8afc0f71b9ec04b8d8af27577798510533ca63255a80c4a
Opcode Fuzzy Hash: 6e3fb5a9eeac10a3300f6d077840e530f46ebbf9fe4c016881d133850f8f17c8
Instruction Fuzzy Hash: 2A21D4B2749A9482EB45CF64ECA87977761FB8D398F41A116DE4E43A24DF3DC109C700

Function 00000001800045A9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037cd8c268e63617e2917473a09d9d6e921883355685c35b3bec0bb58f67b92c
Instruction ID: ce12811f72a3b7b9351d994e929a9a9e0453ea8930cd5cb3cc7f46b610d4d47c
Opcode Fuzzy Hash: 037cd8c268e63617e2917473a09d9d6e921883355685c35b3bec0bb58f67b92c
Instruction Fuzzy Hash: 231184B271495442EB50CB64E8A839B6321F78D7B8F819316C97F576E4DF39C10AC744

Function 0000000180002777 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df05994bc2830c2c591ae22fcb2ccbea56bd1d89860d065a78f4855e0779169
Instruction ID: 1c532c8fced2f2eff92fe9ef23c76dde44938aa8fd7dc95dde59c2570677d884
Opcode Fuzzy Hash: 7df05994bc2830c2c591ae22fcb2ccbea56bd1d89860d065a78f4855e0779169
Instruction Fuzzy Hash: EA117CE271155846FF89CF66DDA97665393EB8C7E4F81D4268E1E8B768EE3CC1098300

Function 000000018000225E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e3eeeece8eeac1b5fdc5ff2af2172208a6d805095d4d8f6a69d2ed7f9ee251
Instruction ID: 86db7e252892e2eaadae42e44f2c957c744d5fecb62b8453a0a9ac8a031b211d
Opcode Fuzzy Hash: 20e3eeeece8eeac1b5fdc5ff2af2172208a6d805095d4d8f6a69d2ed7f9ee251
Instruction Fuzzy Hash: ED119EA7611A9E43E74ADFF4BC64FCA3765E38A740F01A51A9E5A53510DA38C21AC300

Function 000000018000284D Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfde7ca919d01b1d8f614db6afdd124e649404b4f0619785e71302ca0f375fc9
Instruction ID: ced17bf83e16dd0701111f08fa452e8f17ab33ca8eb30b9d252154dc16dbeed1
Opcode Fuzzy Hash: dfde7ca919d01b1d8f614db6afdd124e649404b4f0619785e71302ca0f375fc9
Instruction Fuzzy Hash: AA117CB6710A9842FB45CBB4ECA83DA6362E78C7D4F8199278A1F47264DE38C2098300

Function 0000000180003CF2 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3981ec6c961d556c00c3e4b10dd43c218bdcd83b1e0207a8ebea4f0d41fe31ea
Instruction ID: 40a28b2c97b41e0fc0812b0c5bacec4405646e71b8d2ce031f7683d578f96f73
Opcode Fuzzy Hash: 3981ec6c961d556c00c3e4b10dd43c218bdcd83b1e0207a8ebea4f0d41fe31ea
Instruction Fuzzy Hash: 061186B6650A9842EA50CBA4FCA47DB2321F74D788F81A113CD1F57624EE35C21AC340

Function 0000000180003530 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5436a6c5fed49d038f598a762ae50c577332b5992abba539b3fad6c53f9324
Instruction ID: 2a1d0ad3e82236da7e983b079ac5a449a3d56a79dbfa68b5f7bcf8e0b78a1cc8
Opcode Fuzzy Hash: 0c5436a6c5fed49d038f598a762ae50c577332b5992abba539b3fad6c53f9324
Instruction Fuzzy Hash: 97115BB2355A5882EB55CF65ED987876322E74D788F82E122CC5E47628EF39C248C300

Function 0000000180002A06 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8672aeb0f0ed0c879d86e5c19cf19667cc3d459669cac2b5084f95841a785535
Instruction ID: 450b3370faa2cb2d5a601fdc78b43f919674feb271f0df1ae12ace71e4efb6dd
Opcode Fuzzy Hash: 8672aeb0f0ed0c879d86e5c19cf19667cc3d459669cac2b5084f95841a785535
Instruction Fuzzy Hash: C21170B270195882EB45CF65ECA8B9667A5F78DB84F42D516DE1E47324DF38C209C300

Function 0000000180003464 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b759a81910c3b524e99b3858d0a9e2b41ff0f9b01c5675c1ab0c077c0862eb0e
Instruction ID: b4e84d8ab7710c4c57239755c51ef58129f0ad994c9bc3cc5351e6695056dc5a
Opcode Fuzzy Hash: b759a81910c3b524e99b3858d0a9e2b41ff0f9b01c5675c1ab0c077c0862eb0e
Instruction Fuzzy Hash: 7F1157A639286982EB85CF65EDA8B975312E7497D8F82E112CC1E4B718EE39D109C300

Function 0000000180005E58 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7c1f2ac30cd9147bed69705b889b18d2bbd8005b7e9ddbbd9d54ecfba733a7
Instruction ID: d2eb94fba6b0b182a7d533999943f5c586038182622a3c8a7b6f043987faea39
Opcode Fuzzy Hash: 5a7c1f2ac30cd9147bed69705b889b18d2bbd8005b7e9ddbbd9d54ecfba733a7
Instruction Fuzzy Hash: 9A11A5F1320AC896EE81CBB5EC683DA6361E78D7D4F84A022CE1E47725CE28C209C304

Function 0000000180003880 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8c571c074744f899f8f377c1d9c9612274bc3d2c791104e4fe1bf5c42216b3
Instruction ID: cb11016d0a43076771842deb3ba7d133cfca034649766b9352b12f2f9073b384
Opcode Fuzzy Hash: 7f8c571c074744f899f8f377c1d9c9612274bc3d2c791104e4fe1bf5c42216b3
Instruction Fuzzy Hash: 500152B679165983EB85DF75ECA97EB2320EB4DB94F82A512CC1E57320DE39D909C300

Function 0000000180002E24 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131fd006a779a5085bf5b46e7193536c8db86a2ac8e5575b52316daaa72f9f56
Instruction ID: 402b98fdaeec88650cd8a168ad7d649d0fade3e9ba3baff6a7fd0df4b1199967
Opcode Fuzzy Hash: 131fd006a779a5085bf5b46e7193536c8db86a2ac8e5575b52316daaa72f9f56
Instruction Fuzzy Hash: 030152F6621A9983FB45CBB8ECA83D76325E74E7E8F41D1128E1E67625DE34C2098340

Function 00000001800033B8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487311b2c9820503d6a5dae3d8d60110bd4d6cee73057637963884f56c4af8e6
Instruction ID: 8e92bc29d282ae0d928d91614fe53d78085dbcdd226fe0ee173ca4ef4d5826f0
Opcode Fuzzy Hash: 487311b2c9820503d6a5dae3d8d60110bd4d6cee73057637963884f56c4af8e6
Instruction Fuzzy Hash: A30140F2652A4A83FB45CBA4FDA8BC76322EB4D798F41E1169C1D07618EF38D2198300

Function 000000018000CB80 Relevance: 15.2, APIs: 10, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000000018000CBA8
__scrt_initialize_crt.LIBCMT ref: 000000018000CBED
__scrt_acquire_startup_lock.LIBCMT ref: 000000018000CBFA
_RTC_Initialize.LIBCMT ref: 000000018000CC28
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000000018000CC4E
_initterm.MSVCRT ref: 000000018000CC65
__scrt_release_startup_lock.LIBCMT ref: 000000018000CC79

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock_initterm
String ID:
API String ID: 3249158762-0
Opcode ID: 5a5c9a036abee4f6952f0532d8eede2d64ee21733db9d877116367acf72bafba
Instruction ID: 2a4c13dbbe97c67b96177ecc31692964245443ac3ae8643659713bb35536c99c
Opcode Fuzzy Hash: 5a5c9a036abee4f6952f0532d8eede2d64ee21733db9d877116367acf72bafba
Instruction Fuzzy Hash: 5581BE7170064D86FBE3EB69E842BE93691AB8D7C0F14C026F90947796DE38CB4D8752

Function 00000001800105D0 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 248COMMON

Download Yara Rule

Strings

localeconv, xrefs: 00000001800105DC
0, xrefs: 0000000180010661

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID: 0$localeconv
API String ID: 0-1694054256
Opcode ID: 000e3b79443add43eec902b8c5a9a1890054fb5e372f480aa3582f9a7df45344
Instruction ID: 2204af7f2798db5be68ead3cf5d52d981f3db15f1d163f86b4a7d8b6d4ad82e3
Opcode Fuzzy Hash: 000e3b79443add43eec902b8c5a9a1890054fb5e372f480aa3582f9a7df45344
Instruction Fuzzy Hash: CAC19072205F84D6E7A28F25E49039C3BA4F709BD4F248216EACD47BA5CF78C669D740

Function 000000018000E3FC Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 225stringCOMMON

Download Yara Rule

APIs

wcsnlen.MSVCRT ref: 000000018000E463
strnlen.MSVCRT ref: 000000018000E483

Strings

(null), xrefs: 000000018000E451
0, xrefs: 000000018000E627
(null), xrefs: 000000018000E475

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: strnlenwcsnlen
String ID: (null)$(null)$0
API String ID: 3725369605-212571832
Opcode ID: d2eaeb3988bd27a5faeef8766c77f7b733958c6187e28012baf5872acc1337cd
Instruction ID: dcdd580166d80e6fe1632dc5e17e73228d4e784e24bcf56e6512a722ba1fc2f2
Opcode Fuzzy Hash: d2eaeb3988bd27a5faeef8766c77f7b733958c6187e28012baf5872acc1337cd
Instruction Fuzzy Hash: 3FA1BF72214AC886EBE6CF28D0407E937A1F35ABD8F649215EE4D67784DF31CA89C740

Function 000000018000FD00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 142stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018000FD2D
RtlCopyMemory.NTDLL ref: 000000018000FD95
strcpy_s.MSVCRT ref: 000000018000FE15
RtlCopyMemory.NTDLL ref: 000000018000FEA9

Strings

gfff, xrefs: 000000018000FE74
e+000, xrefs: 000000018000FDF3

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: CopyMemory$_errnostrcpy_s
String ID: e+000$gfff
API String ID: 2629432028-3030954782
Opcode ID: 14fa7ff08853d1dd469ed48625ab93b643952035aa5e23bb5ed39967f3df6ac0
Instruction ID: 296f8e79fda0498c0103e755cbace666a6b69cf4b30755128c13b51cace9f301
Opcode Fuzzy Hash: 14fa7ff08853d1dd469ed48625ab93b643952035aa5e23bb5ed39967f3df6ac0
Instruction Fuzzy Hash: B35105727046C845E7B6CE25E8013A9BB91E348BC4F48C122EA944BFD6DF7DC649D701

Function 000000018000FEE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180010E00: fegetenv.LIBCMT ref: 0000000180010E4D
Part of subcall function 0000000180010E00: strcpy_s.MSVCRT ref: 0000000180010EDA

RtlCopyMemory.NTDLL ref: 000000018000FFA3
RtlCopyMemory.NTDLL ref: 000000018000FFD4
RtlCopyMemory.NTDLL ref: 0000000180010036
memset.NTDLL ref: 0000000180010046

Strings

-, xrefs: 000000018000FF76

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: CopyMemory$fegetenvmemsetstrcpy_s
String ID: -
API String ID: 659228780-2547889144
Opcode ID: 241718116317a55847dbd77936b3fd7edb74e61a092d9900892a81e3fc4d62ef
Instruction ID: ebfefbfd2f1e93d5e76747c711c9b4a1ebb90a974b4e753599a4ad646017aae4
Opcode Fuzzy Hash: 241718116317a55847dbd77936b3fd7edb74e61a092d9900892a81e3fc4d62ef
Instruction Fuzzy Hash: E241C532708B8D82EBA2DF2191403AA7795F74DFC4F54D221FA8A57B99DF78D6098700

Function 000000018000F200 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000000018000F228
GetProcAddress.KERNEL32 ref: 000000018000F23E
FreeLibrary.KERNEL32 ref: 000000018000F257

Strings

CorExitProcess, xrefs: 000000018000F237
mscoree.dll, xrefs: 000000018000F21F

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5c9ed31946e5f1abe64733cdbf29012430a9d2c9ccabc5a3e62e375394e850ce
Instruction ID: d0444890418ef41b94753d1b29e08f1744ba7167098742cde55e476dbf3f1036
Opcode Fuzzy Hash: 5c9ed31946e5f1abe64733cdbf29012430a9d2c9ccabc5a3e62e375394e850ce
Instruction Fuzzy Hash: 2CF0B431300F0481EFA2CB64F4553A923A0AB8D7E0F548225E9AE416E4CF38C34DC700

Function 000000018000E0D0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018000E0E8

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: eed2b5ada40f7ed7c64ed98c70b1544cb2c79cf4fd7996e08ae8be4713d9825c
Instruction ID: e31efeba5aa8630548cf1455b3d7c3197fdc07e7fa40510998546db08c0f2279
Opcode Fuzzy Hash: eed2b5ada40f7ed7c64ed98c70b1544cb2c79cf4fd7996e08ae8be4713d9825c
Instruction Fuzzy Hash: EA11E73260478480EAE5AB25F1403DD7390E3887E4F09A226FB6A1B7C5CE38D5D78704

Function 00000001800109F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001800109FB
GetProcAddress.KERNEL32 ref: 0000000180010A10

Strings

kernel32, xrefs: 00000001800109F4
AddDllDirectory, xrefs: 0000000180010A06

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AddDllDirectory$kernel32
API String ID: 1646373207-3758863895
Opcode ID: 386a41037e1f46b603523911a17befd6bb2b2881cc82ca9c4875bdc49c7b4b0c
Instruction ID: 94d1fcfb6abe9a13ea19cdbd68d76d0c9b2a371dcf28bdc137a2f57a4cac4c69
Opcode Fuzzy Hash: 386a41037e1f46b603523911a17befd6bb2b2881cc82ca9c4875bdc49c7b4b0c
Instruction Fuzzy Hash: F7F0C074B26F4991EB87CB15AC553D027A07B5D760F44D666A85E41730FF68D3DC9300

Function 0000000180012E30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16COMMON

Download Yara Rule

APIs

__C_specific_handler.NTDLL ref: 0000000180012E39
?terminate@@YAXXZ.MSVCRT ref: 0000000180012E57

Strings

f, xrefs: 0000000180012E3E
csm, xrefs: 0000000180012E44

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: ?terminate@@C_specific_handler
String ID: csm$f
API String ID: 2859504863-629598281
Opcode ID: 7f38064bf84f83e2da008ef77d2bc27bf8bfc6624cbad9441c0f0498e1572bce
Instruction ID: d8af0d244737bd96d47b441d0cdb5588ea9a02764b58c3b2b79adbe2221d83fc
Opcode Fuzzy Hash: 7f38064bf84f83e2da008ef77d2bc27bf8bfc6624cbad9441c0f0498e1572bce
Instruction Fuzzy Hash: 78D05E3982094C81FFEB376150463E919C0A72CB88F18C010FD500C282BE29CBBD8742

Function 000000018000D8C0 Relevance: 6.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018000D8F7

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 64169f0de9148cba93a94b23cde77ed5616a539a806e978f060aeee07665ae95
Instruction ID: b4c25039a5e367aa9eadbe8b47c637cb2dab23a3a00ca16383e83dad19a33ec9
Opcode Fuzzy Hash: 64169f0de9148cba93a94b23cde77ed5616a539a806e978f060aeee07665ae95
Instruction Fuzzy Hash: DD716E322047C886E7A6DF29A8803EE76A4F7597C8F148115FF8917B99CF79C6948B10

Function 000000018000DBE8 Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018000DBF9
strtol.MSVCRT ref: 000000018000DC28
_errno.MSVCRT ref: 000000018000DC38
free.MSVCRT ref: 000000018000DE39

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: _errno$freestrtol
String ID:
API String ID: 3444388478-0
Opcode ID: 0535ea31191012cb0ebb1afcc0821a21b4e33bf00769aa06bf1cc059e2b9d95a
Instruction ID: 3594dde9a326aa4b8f2b59f85447f76c2ce1c5b2a12f24d1702eb303a5c88620
Opcode Fuzzy Hash: 0535ea31191012cb0ebb1afcc0821a21b4e33bf00769aa06bf1cc059e2b9d95a
Instruction Fuzzy Hash: 5E517E3260478C86FBA2CF15E0407EAB7A1F3997D8F108016FA4947B99CF79D689CB10

Function 000000018000DCE8 Relevance: 6.1, APIs: 4, Instructions: 106stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018000DCF5
strtol.MSVCRT ref: 000000018000DD24
_errno.MSVCRT ref: 000000018000DD34
free.MSVCRT ref: 000000018000DE39

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: _errno$freestrtol
String ID:
API String ID: 3444388478-0
Opcode ID: 4123794607728ac7d8285b0ca81476db4304b0a98aa376d898cb4ad2edb44a44
Instruction ID: cb2ca2e76594b4d565196faaffe70d983b25cd8198377d698b3980531248ab77
Opcode Fuzzy Hash: 4123794607728ac7d8285b0ca81476db4304b0a98aa376d898cb4ad2edb44a44
Instruction Fuzzy Hash: B6414E3220478C86FBA2DF15E0407EAB7A1E7997D8F148017FA4947B99CF79D689CB10

Function 0000000180010070 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

RtlCopyMemory.NTDLL ref: 00000001800100F4
RtlCopyMemory.NTDLL ref: 0000000180010126
RtlCopyMemory.NTDLL ref: 0000000180010186
memset.NTDLL ref: 0000000180010196

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: CopyMemory$memset
String ID:
API String ID: 2685965848-0
Opcode ID: e6b595ed9eac46fe0a6f8968eb00a07e6a0e6c2457ad58b6a2533e7af3dbf1af
Instruction ID: 3e1ef25bd6a04dfa44c655fa15ffa098bb5a7d5c6890a3a97510f97d159ad76b
Opcode Fuzzy Hash: e6b595ed9eac46fe0a6f8968eb00a07e6a0e6c2457ad58b6a2533e7af3dbf1af
Instruction Fuzzy Hash: 0C31A032604BC895EB969F21D49039A7BA0F75DBD4F588221FB8A47785DFBCC649C301

Function 000000018000E34D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

0, xrefs: 000000018000E627
(null), xrefs: 000000018000E3DD

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID:
String ID: (null)$0
API String ID: 0-38302674
Opcode ID: 7855268e428f67f01df85f77ed174941f8b83656bd2305661a4cef01b1e4b8ca
Instruction ID: 481108fa4de768a69059f33bd072525b723e4b801b254d1e1887360759fd7071
Opcode Fuzzy Hash: 7855268e428f67f01df85f77ed174941f8b83656bd2305661a4cef01b1e4b8ca
Instruction Fuzzy Hash: ADA19172208AC885E7A6CF29D0507ED37A1F35ABC8F649119EE8D67784DF35CA89C740

Function 000000018000E513 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018000E579

Strings

0, xrefs: 000000018000E627

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: _errno
String ID: 0
API String ID: 2918714741-4108050209
Opcode ID: 7b167722fbbc0dc4659ea105ef812dc618b6e1e2f6db5385e36cf627f454b43f
Instruction ID: 5d9bdeb246628ad68f02a7b20af31a85a0c89628fb5b38ee8b6c2d68fc60ad04
Opcode Fuzzy Hash: 7b167722fbbc0dc4659ea105ef812dc618b6e1e2f6db5385e36cf627f454b43f
Instruction Fuzzy Hash: C3919D72204AC886EBE6CF24D0407ED77A1F35ABD8F649115EA4D67785DF32CA8AC740

Function 0000000180010B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,00000001800105EF,?,?,?,?,?,?,?,?,000000018000E1AF), ref: 0000000180010BC4

Strings

msvcrt.dll, xrefs: 0000000180010B9B

Memory Dump Source

Source File: 00000000.00000002.1277458618.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1277429637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.0000000180013000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.000000018008E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277499085.00000001800B4000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277745093.0000000180164000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1277790173.0000000180168000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_360safe.jbxd

Similarity

API ID: AddressProc
String ID: msvcrt.dll
API String ID: 190572456-370904613
Opcode ID: a01668f4adbfb72dc07825cc0141ff6225fd7b0af2ff7a7115459b4a557bfec6
Instruction ID: 63edd3773b1c2459ec4127de9ad35de3634355506139c96baaa1d733485e0519
Opcode Fuzzy Hash: a01668f4adbfb72dc07825cc0141ff6225fd7b0af2ff7a7115459b4a557bfec6
Instruction Fuzzy Hash: 54118E32306F4885EE968B16BD503956290AB4CBF4F088635AEBE47BD4DF2CC5844300

Analysis Process: svchost.exePID: 932, Parent PID: 6536COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	59%
Total number of Nodes:	571
Total number of Limit Nodes:	76

Executed Functions

Function 000002287BC207E0 Relevance: 130.0, APIs: 73, Strings: 1, Instructions: 492
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(?,?,?,?,?,?,00100000,000002287BC11B37), ref: 000002287BC207F7
GetCurrentProcess.KERNEL32 ref: 000002287BC20828
OpenProcessToken.ADVAPI32 ref: 000002287BC20839
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC20861
AdjustTokenPrivileges.KERNELBASE ref: 000002287BC20881
GetLastError.KERNEL32 ref: 000002287BC20887
CloseHandle.KERNEL32 ref: 000002287BC2089B
VirtualAlloc.KERNEL32 ref: 000002287BC208B2
InitializeCriticalSection.KERNEL32 ref: 000002287BC208C4
IsBadReadPtr.KERNEL32 ref: 000002287BC208DD
EnterCriticalSection.KERNEL32 ref: 000002287BC208F0
VirtualAlloc.KERNEL32 ref: 000002287BC20907
LeaveCriticalSection.KERNEL32 ref: 000002287BC20936
IsBadReadPtr.KERNEL32 ref: 000002287BC20948
EnterCriticalSection.KERNEL32 ref: 000002287BC2095B
VirtualAlloc.KERNEL32 ref: 000002287BC20972
LeaveCriticalSection.KERNEL32 ref: 000002287BC209A1
IsBadReadPtr.KERNEL32 ref: 000002287BC209B3
EnterCriticalSection.KERNEL32 ref: 000002287BC209C6
VirtualAlloc.KERNEL32 ref: 000002287BC209DD
LeaveCriticalSection.KERNEL32 ref: 000002287BC20A0C
IsBadReadPtr.KERNEL32 ref: 000002287BC20A1E
EnterCriticalSection.KERNEL32 ref: 000002287BC20A31
VirtualAlloc.KERNEL32 ref: 000002287BC20A48
LeaveCriticalSection.KERNEL32 ref: 000002287BC20A77
IsBadReadPtr.KERNEL32 ref: 000002287BC20A89
EnterCriticalSection.KERNEL32 ref: 000002287BC20A9C
VirtualAlloc.KERNEL32 ref: 000002287BC20AB3
LeaveCriticalSection.KERNEL32 ref: 000002287BC20AE2
IsBadReadPtr.KERNEL32 ref: 000002287BC20AF4
EnterCriticalSection.KERNEL32 ref: 000002287BC20B07
VirtualAlloc.KERNEL32 ref: 000002287BC20B1E
LeaveCriticalSection.KERNEL32 ref: 000002287BC20B4D
IsBadReadPtr.KERNEL32 ref: 000002287BC20B5F
EnterCriticalSection.KERNEL32 ref: 000002287BC20B72
VirtualAlloc.KERNEL32 ref: 000002287BC20B89
LeaveCriticalSection.KERNEL32 ref: 000002287BC20BB8
IsBadReadPtr.KERNEL32 ref: 000002287BC20BCA
EnterCriticalSection.KERNEL32 ref: 000002287BC20BDD
VirtualAlloc.KERNEL32 ref: 000002287BC20BF4
LeaveCriticalSection.KERNEL32 ref: 000002287BC20C23
IsBadReadPtr.KERNEL32 ref: 000002287BC20C35
EnterCriticalSection.KERNEL32 ref: 000002287BC20C4B
LeaveCriticalSection.KERNEL32 ref: 000002287BC20C76
IsBadReadPtr.KERNEL32 ref: 000002287BC20C8E
EnterCriticalSection.KERNEL32 ref: 000002287BC20CA4
LeaveCriticalSection.KERNEL32 ref: 000002287BC20CC8
IsBadReadPtr.KERNEL32 ref: 000002287BC20CE1
EnterCriticalSection.KERNEL32 ref: 000002287BC20CF7
LeaveCriticalSection.KERNEL32 ref: 000002287BC20D1B
IsBadReadPtr.KERNEL32 ref: 000002287BC20D34
EnterCriticalSection.KERNEL32 ref: 000002287BC20D4A
LeaveCriticalSection.KERNEL32 ref: 000002287BC20D76
IsBadReadPtr.KERNEL32 ref: 000002287BC20D8F
EnterCriticalSection.KERNEL32 ref: 000002287BC20DA5
LeaveCriticalSection.KERNEL32 ref: 000002287BC20DC9
IsBadReadPtr.KERNEL32 ref: 000002287BC20DE2
EnterCriticalSection.KERNEL32 ref: 000002287BC20DF8
LeaveCriticalSection.KERNEL32 ref: 000002287BC20E1C
IsBadReadPtr.KERNEL32 ref: 000002287BC20E35
EnterCriticalSection.KERNEL32 ref: 000002287BC20E4B
LeaveCriticalSection.KERNEL32 ref: 000002287BC20E76
IsBadReadPtr.KERNEL32 ref: 000002287BC20E8F
EnterCriticalSection.KERNEL32 ref: 000002287BC20EA5
LeaveCriticalSection.KERNEL32 ref: 000002287BC20EC9
LeaveCriticalSection.KERNEL32 ref: 000002287BC20F04
LeaveCriticalSection.KERNEL32 ref: 000002287BC20F16
LeaveCriticalSection.KERNEL32 ref: 000002287BC20F28
LeaveCriticalSection.KERNEL32 ref: 000002287BC20F3A
LeaveCriticalSection.KERNEL32 ref: 000002287BC20F4C
LeaveCriticalSection.KERNEL32 ref: 000002287BC20F5E
LeaveCriticalSection.KERNEL32 ref: 000002287BC20F70
LeaveCriticalSection.KERNEL32 ref: 000002287BC20F82

Strings

SeDebugPrivilege, xrefs: 000002287BC20850

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$Leave$EnterRead$AllocVirtual$ProcessToken$AdjustCloseCurrentErrorHandleInitializeLastLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3221255601-2896544425
Opcode ID: a2b6e7ca68953369f1d1bed8feb1e7e4a33665da8ae3e4e728f5fee4189e6249
Instruction ID: 8d7b536ca44cdc2123039aa07b943505edafa436b1a826934a8589a8e72ec35e
Opcode Fuzzy Hash: a2b6e7ca68953369f1d1bed8feb1e7e4a33665da8ae3e4e728f5fee4189e6249
Instruction Fuzzy Hash: 0A320D39302B40E2FB558F91E65C769A376F785B85F68C026CE5A43BA4DF38D5A6C300

Function 000002287B5007E0 Relevance: 130.0, APIs: 73, Strings: 1, Instructions: 492
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(?,?,?,?,?,?,00100000,000002287B4F1B37), ref: 000002287B5007F7
GetCurrentProcess.KERNEL32 ref: 000002287B500828
OpenProcessToken.ADVAPI32 ref: 000002287B500839
LookupPrivilegeValueW.ADVAPI32 ref: 000002287B500861
AdjustTokenPrivileges.KERNELBASE ref: 000002287B500881
GetLastError.KERNEL32 ref: 000002287B500887
CloseHandle.KERNEL32 ref: 000002287B50089B
VirtualAlloc.KERNEL32 ref: 000002287B5008B2
InitializeCriticalSection.KERNEL32 ref: 000002287B5008C4
IsBadReadPtr.KERNEL32 ref: 000002287B5008DD
EnterCriticalSection.KERNEL32 ref: 000002287B5008F0
VirtualAlloc.KERNEL32 ref: 000002287B500907
LeaveCriticalSection.KERNEL32 ref: 000002287B500936
IsBadReadPtr.KERNEL32 ref: 000002287B500948
EnterCriticalSection.KERNEL32 ref: 000002287B50095B
VirtualAlloc.KERNEL32 ref: 000002287B500972
LeaveCriticalSection.KERNEL32 ref: 000002287B5009A1
IsBadReadPtr.KERNEL32 ref: 000002287B5009B3
EnterCriticalSection.KERNEL32 ref: 000002287B5009C6
VirtualAlloc.KERNEL32 ref: 000002287B5009DD
LeaveCriticalSection.KERNEL32 ref: 000002287B500A0C
IsBadReadPtr.KERNEL32 ref: 000002287B500A1E
EnterCriticalSection.KERNEL32 ref: 000002287B500A31
VirtualAlloc.KERNEL32 ref: 000002287B500A48
LeaveCriticalSection.KERNEL32 ref: 000002287B500A77
IsBadReadPtr.KERNEL32 ref: 000002287B500A89
EnterCriticalSection.KERNEL32 ref: 000002287B500A9C
VirtualAlloc.KERNEL32 ref: 000002287B500AB3
LeaveCriticalSection.KERNEL32 ref: 000002287B500AE2
IsBadReadPtr.KERNEL32 ref: 000002287B500AF4
EnterCriticalSection.KERNEL32 ref: 000002287B500B07
VirtualAlloc.KERNEL32 ref: 000002287B500B1E
LeaveCriticalSection.KERNEL32 ref: 000002287B500B4D
IsBadReadPtr.KERNEL32 ref: 000002287B500B5F
EnterCriticalSection.KERNEL32 ref: 000002287B500B72
VirtualAlloc.KERNEL32 ref: 000002287B500B89
LeaveCriticalSection.KERNEL32 ref: 000002287B500BB8
IsBadReadPtr.KERNEL32 ref: 000002287B500BCA
EnterCriticalSection.KERNEL32 ref: 000002287B500BDD
VirtualAlloc.KERNEL32 ref: 000002287B500BF4
LeaveCriticalSection.KERNEL32 ref: 000002287B500C23
IsBadReadPtr.KERNEL32 ref: 000002287B500C35
EnterCriticalSection.KERNEL32 ref: 000002287B500C4B
LeaveCriticalSection.KERNEL32 ref: 000002287B500C76
IsBadReadPtr.KERNEL32 ref: 000002287B500C8E
EnterCriticalSection.KERNEL32 ref: 000002287B500CA4
LeaveCriticalSection.KERNEL32 ref: 000002287B500CC8
IsBadReadPtr.KERNEL32 ref: 000002287B500CE1
EnterCriticalSection.KERNEL32 ref: 000002287B500CF7
LeaveCriticalSection.KERNEL32 ref: 000002287B500D1B
IsBadReadPtr.KERNEL32 ref: 000002287B500D34
EnterCriticalSection.KERNEL32 ref: 000002287B500D4A
LeaveCriticalSection.KERNEL32 ref: 000002287B500D76
IsBadReadPtr.KERNEL32 ref: 000002287B500D8F
EnterCriticalSection.KERNEL32 ref: 000002287B500DA5
LeaveCriticalSection.KERNEL32 ref: 000002287B500DC9
IsBadReadPtr.KERNEL32 ref: 000002287B500DE2
EnterCriticalSection.KERNEL32 ref: 000002287B500DF8
LeaveCriticalSection.KERNEL32 ref: 000002287B500E1C
IsBadReadPtr.KERNEL32 ref: 000002287B500E35
EnterCriticalSection.KERNEL32 ref: 000002287B500E4B
LeaveCriticalSection.KERNEL32 ref: 000002287B500E76
IsBadReadPtr.KERNEL32 ref: 000002287B500E8F
EnterCriticalSection.KERNEL32 ref: 000002287B500EA5
LeaveCriticalSection.KERNEL32 ref: 000002287B500EC9
LeaveCriticalSection.KERNEL32 ref: 000002287B500F04
LeaveCriticalSection.KERNEL32 ref: 000002287B500F16
LeaveCriticalSection.KERNEL32 ref: 000002287B500F28
LeaveCriticalSection.KERNEL32 ref: 000002287B500F3A
LeaveCriticalSection.KERNEL32 ref: 000002287B500F4C
LeaveCriticalSection.KERNEL32 ref: 000002287B500F5E
LeaveCriticalSection.KERNEL32 ref: 000002287B500F70
LeaveCriticalSection.KERNEL32 ref: 000002287B500F82

Strings

SeDebugPrivilege, xrefs: 000002287B500850

Memory Dump Source

Source File: 00000003.00000002.2495198004.000002287B4E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287B4E0000, based on PE: true

Associated: 00000003.00000002.2495164115.000002287B4E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495245950.000002287B548000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495289698.000002287B55C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495324573.000002287B562000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287b4e0000_svchost.jbxd

Similarity

API ID: CriticalSection$Leave$EnterRead$AllocVirtual$ProcessToken$AdjustCloseCurrentErrorHandleInitializeLastLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3221255601-2896544425
Opcode ID: a2b6e7ca68953369f1d1bed8feb1e7e4a33665da8ae3e4e728f5fee4189e6249
Instruction ID: 97ebbe51039ebb56eb49ebdd9221f08829e4e56b866e188957e2305bffe518a3
Opcode Fuzzy Hash: a2b6e7ca68953369f1d1bed8feb1e7e4a33665da8ae3e4e728f5fee4189e6249
Instruction Fuzzy Hash: CC320A39302F44E2EB559F61EA5C369B3B2F744BA0FA84425CE6A43B94DF38D565D300

Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317
filememorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 000000018000103C
malloc.MSVCRT ref: 00000001800010C9
memcpy.NTDLL ref: 00000001800010EB
memcpy.NTDLL ref: 0000000180001100
memset.NTDLL ref: 00000001800011B4
wsprintfW.USER32 ref: 00000001800011D5
CreateFileW.KERNEL32 ref: 0000000180001203
GetLastError.KERNEL32 ref: 0000000180001212
WriteFile.KERNEL32 ref: 0000000180001233
GetLastError.KERNEL32 ref: 000000018000123D
CloseHandle.KERNEL32 ref: 0000000180001246
SleepEx.KERNEL32 ref: 0000000180001251
memset.NTDLL ref: 0000000180001266
wsprintfW.USER32 ref: 0000000180001287
CreateFileW.KERNEL32 ref: 00000001800012B5
GetLastError.KERNEL32 ref: 00000001800012C4
WriteFile.KERNEL32 ref: 00000001800012E5
GetLastError.KERNEL32 ref: 00000001800012EF
CloseHandle.KERNEL32 ref: 00000001800012F8
SleepEx.KERNEL32 ref: 0000000180001303
memset.NTDLL ref: 0000000180001318
wsprintfW.USER32 ref: 0000000180001339
CreateFileW.KERNEL32 ref: 0000000180001367
GetLastError.KERNEL32 ref: 0000000180001376
WriteFile.KERNEL32 ref: 0000000180001393
GetLastError.KERNEL32 ref: 000000018000139D
CloseHandle.KERNEL32 ref: 00000001800013A6
Sleep.KERNEL32 ref: 00000001800013B1
VirtualAlloc.KERNEL32 ref: 00000001800013D4
memcpy.NTDLL ref: 00000001800013F0
CreateThread.KERNEL32 ref: 000000018000140C
VariantInit.OLEAUT32 ref: 0000000180001441
SysAllocString.OLEAUT32 ref: 00000001800014A3
GetLastError.KERNEL32 ref: 00000001800014BE
memset.NTDLL ref: 00000001800014D6
wsprintfW.USER32 ref: 00000001800014F4
memset.NTDLL ref: 000000018000152F
memcpy.NTDLL ref: 0000000180001544
CreateThread.KERNEL32 ref: 0000000180001562

Strings

\Microsoft\Windows, xrefs: 000000018000149C
%s\%s, xrefs: 00000001800011C7, 0000000180001279, 000000018000132B, 00000001800014E9

Memory Dump Source

Source File: 00000003.00000002.2485758756.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2485619743.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.0000000180013000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.000000018008E000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2486883489.0000000180164000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2487001400.0000000180168000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
String ID: %s\%s$\Microsoft\Windows
API String ID: 1085075972-4137575348
Opcode ID: 25a54c13e9a735a875ead524e7afe43dc856ba856741995bc76f1784370f9354
Instruction ID: 8444b12730cc2e4b24a21f92cbaba62370983439c4159096c57ec2b4dd869c75
Opcode Fuzzy Hash: 25a54c13e9a735a875ead524e7afe43dc856ba856741995bc76f1784370f9354
Instruction Fuzzy Hash: 85F17932600B89D5F7A2DF65E8157DD37A0FB8DB98F448215EE9A57A94EF38C209C700

Function 000002287BC1FB40 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 201
memoryinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32 ref: 000002287BC1FB91
GetLastError.KERNEL32 ref: 000002287BC1FB9F
VirtualAllocEx.KERNEL32 ref: 000002287BC1FBCB
WriteProcessMemory.KERNEL32 ref: 000002287BC1FBEF
GetLastError.KERNEL32 ref: 000002287BC1FBF9

Strings

h, xrefs: 000002287BC1FCFB
@, xrefs: 000002287BC1FC1A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: AllocErrorLastVirtual$MemoryProcessWrite
String ID: @$h
API String ID: 1382438346-1029331998
Opcode ID: edab0e174b5066205762abb61903cd894a6083d3ffa50cc14d6c6a9f29330064
Instruction ID: c93c6ee6feca37032dc2b88d247ab5066dc23ea09f3e386735c560546aca2f0b
Opcode Fuzzy Hash: edab0e174b5066205762abb61903cd894a6083d3ffa50cc14d6c6a9f29330064
Instruction Fuzzy Hash: 3581F42621AB8086F760CFA9A84875EEB51F7D6788F548119EFC653B89DF3CC506CB00

Function 000002287B4FFB40 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 201
memoryinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32 ref: 000002287B4FFB91
GetLastError.KERNEL32 ref: 000002287B4FFB9F
VirtualAllocEx.KERNEL32 ref: 000002287B4FFBCB
WriteProcessMemory.KERNEL32 ref: 000002287B4FFBEF
GetLastError.KERNEL32 ref: 000002287B4FFBF9

Strings

h, xrefs: 000002287B4FFCFB
@, xrefs: 000002287B4FFC1A

Memory Dump Source

Source File: 00000003.00000002.2495198004.000002287B4E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287B4E0000, based on PE: true

Associated: 00000003.00000002.2495164115.000002287B4E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495245950.000002287B548000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495289698.000002287B55C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495324573.000002287B562000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287b4e0000_svchost.jbxd

Similarity

API ID: AllocErrorLastVirtual$MemoryProcessWrite
String ID: @$h
API String ID: 1382438346-1029331998
Opcode ID: edab0e174b5066205762abb61903cd894a6083d3ffa50cc14d6c6a9f29330064
Instruction ID: 8783f98b51c53cc014cf7f2c4a75cba8c944f8e0f79cbb8b24ae987bb0e302a8
Opcode Fuzzy Hash: edab0e174b5066205762abb61903cd894a6083d3ffa50cc14d6c6a9f29330064
Instruction Fuzzy Hash: 9B813B2621A7C09AE724CF99B84875EEB92F3A6784F545119FECA43B89DF3CC505CB00

Function 0000000180001A10 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE ref: 0000000180001A3B
CLSIDFromString.OLE32 ref: 0000000180001CFA
IIDFromString.OLE32 ref: 0000000180001D0D
CoCreateInstance.COMBASE ref: 0000000180001D2C

Strings

:_:, xrefs: 0000000180001AF0
A::, xrefs: 0000000180001A4F
Y::, xrefs: 0000000180001C46
X:[:, xrefs: 0000000180001BAA
\:[:, xrefs: 0000000180001B9B
X:^:, xrefs: 0000000180001AE8
Y:\:, xrefs: 0000000180001AD8
\:^:, xrefs: 0000000180001C4D
:, xrefs: 0000000180001CA0
^:G:, xrefs: 0000000180001B44
:Y:, xrefs: 0000000180001C3F

Memory Dump Source

Source File: 00000003.00000002.2485758756.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2485619743.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.0000000180013000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.000000018008E000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2486883489.0000000180164000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2487001400.0000000180168000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: FromString$CreateInitializeInstance
String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
API String ID: 511945936-2205580742
Opcode ID: 042c554cad8af894e656224a2f31c9785861aedbae0dc43e1f823e5507c20a61
Instruction ID: bb9760e412e0da7a9fa856a0e12bed8815f139b06612a008ac7157658cf1ee11
Opcode Fuzzy Hash: 042c554cad8af894e656224a2f31c9785861aedbae0dc43e1f823e5507c20a61
Instruction Fuzzy Hash: CA91ED73D18BD4CAE311CF7994016ADBB70F799348F14A249EA946A919EB78E684CF00

Function 0000000180001D60 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 227
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0000000180001DA5
SysAllocString.OLEAUT32 ref: 0000000180001DE4
SysAllocString.OLEAUT32 ref: 0000000180001DF0
IIDFromString.OLE32 ref: 0000000180001F31
SysAllocString.OLEAUT32 ref: 0000000180001F61
SysAllocString.OLEAUT32 ref: 0000000180001F71
VariantInit.OLEAUT32 ref: 0000000180001FEA
SysAllocString.OLEAUT32 ref: 0000000180001FF7

Strings

SYSTEM, xrefs: 0000000180001DD9
{4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}, xrefs: 0000000180001F26

Memory Dump Source

Source File: 00000003.00000002.2485758756.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2485619743.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.0000000180013000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.000000018008E000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2486883489.0000000180164000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2487001400.0000000180168000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: String$Alloc$FromInitVariant
String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
API String ID: 929278495-107290059
Opcode ID: 614b72df1dcfdb13e6e7e9f40b98ec6a16ace2cc5bef3ea5268e0735b5c70f43
Instruction ID: ea068f2d577331d4d34f7ce72b56dd1e3d0ea9ea0467babe62b28c7e472ad91b
Opcode Fuzzy Hash: 614b72df1dcfdb13e6e7e9f40b98ec6a16ace2cc5bef3ea5268e0735b5c70f43
Instruction Fuzzy Hash: 36B1CF36B00B588AEB40DFAAD88429D77B1FB88F99F558026DE0E57B28DF35C149C300

Function 000002287BC2D1D0 Relevance: 15.1, APIs: 10, Instructions: 95
servicestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,000002287BC127A4), ref: 000002287BC2D1F5
EnumServicesStatusExW.ADVAPI32 ref: 000002287BC2D241
malloc.MSVCRT ref: 000002287BC2D256
memset.NTDLL ref: 000002287BC2D26C
EnumServicesStatusExW.ADVAPI32 ref: 000002287BC2D2AB
CloseServiceHandle.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,000002287BC127A4), ref: 000002287BC2D2B8
free.MSVCRT ref: 000002287BC2D2C1
CloseServiceHandle.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,000002287BC127A4), ref: 000002287BC2D2DD
lstrcmpiW.KERNEL32(?,?,?,?,?,00000000,00001000,00000000,?,000002287BC127A4), ref: 000002287BC2D2FD
free.MSVCRT ref: 000002287BC2D321

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CloseEnumHandleServiceServicesStatusfree$ManagerOpenlstrcmpimallocmemset
String ID:
API String ID: 2647132813-0
Opcode ID: 65ea28f1ae8d39c06324f520d284c67a1b426bb17897373f6f46c6dbd1fc0fb8
Instruction ID: 457c90bffb0cd29edf80e9a689d6b0de63c1c69b7c1a4ca5f216ceb047252c18
Opcode Fuzzy Hash: 65ea28f1ae8d39c06324f520d284c67a1b426bb17897373f6f46c6dbd1fc0fb8
Instruction Fuzzy Hash: F2419A36205B40AAF720CFA5F84865AF7A5F7C9744F648425DA8D83B58EF38C946CB00

Function 000002287B50D1D0 Relevance: 15.1, APIs: 10, Instructions: 95
servicestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,000002287B4F27A4), ref: 000002287B50D1F5
EnumServicesStatusExW.ADVAPI32 ref: 000002287B50D241
malloc.MSVCRT ref: 000002287B50D256
memset.NTDLL ref: 000002287B50D26C
EnumServicesStatusExW.ADVAPI32 ref: 000002287B50D2AB
CloseServiceHandle.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,000002287B4F27A4), ref: 000002287B50D2B8
free.MSVCRT ref: 000002287B50D2C1
CloseServiceHandle.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,000002287B4F27A4), ref: 000002287B50D2DD
lstrcmpiW.KERNEL32(?,?,?,?,?,00000000,00001000,00000000,?,000002287B4F27A4), ref: 000002287B50D2FD
free.MSVCRT ref: 000002287B50D321

Memory Dump Source

Source File: 00000003.00000002.2495198004.000002287B4E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287B4E0000, based on PE: true

Associated: 00000003.00000002.2495164115.000002287B4E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495245950.000002287B548000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495289698.000002287B55C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495324573.000002287B562000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287b4e0000_svchost.jbxd

Similarity

API ID: CloseEnumHandleServiceServicesStatusfree$ManagerOpenlstrcmpimallocmemset
String ID:
API String ID: 2647132813-0
Opcode ID: 65ea28f1ae8d39c06324f520d284c67a1b426bb17897373f6f46c6dbd1fc0fb8
Instruction ID: e3279086aa6c9f56d72231e5a1a514c880e0fb35d2d7f0ca1a3fd16dda21346d
Opcode Fuzzy Hash: 65ea28f1ae8d39c06324f520d284c67a1b426bb17897373f6f46c6dbd1fc0fb8
Instruction Fuzzy Hash: 5641B73A206B40EAD724CF65F84865AF7A6F7C8B94F644125DE8E43B54EF38C549CB00

Function 000002287B50CAF0 Relevance: 15.1, APIs: 10, Instructions: 65
memoryprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000002287B50CB0B
GetProcessHeap.KERNEL32(?,?,00000000,000002287B4F25A0), ref: 000002287B50CB32
HeapAlloc.KERNEL32(?,?,00000000,000002287B4F25A0), ref: 000002287B50CB46
CloseHandle.KERNEL32(?,?,00000000,000002287B4F25A0), ref: 000002287B50CB57

Memory Dump Source

Source File: 00000003.00000002.2495198004.000002287B4E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287B4E0000, based on PE: true

Associated: 00000003.00000002.2495164115.000002287B4E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495245950.000002287B548000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495289698.000002287B55C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495324573.000002287B562000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287b4e0000_svchost.jbxd

Similarity

API ID: Heap$AllocCloseCreateHandleProcessSnapshotToolhelp32
String ID:
API String ID: 1926892967-0
Opcode ID: 83253a1db69bbe089b2caa0e335e3cddcea3a2af0f53c395e1d6b6084172a312
Instruction ID: 8b31ae112cb564f98b1c8abb2a5e73cf994b32dfd1f0bbd897aa4015980813f9
Opcode Fuzzy Hash: 83253a1db69bbe089b2caa0e335e3cddcea3a2af0f53c395e1d6b6084172a312
Instruction Fuzzy Hash: D5218329315A40D6EB549FB2A84C329F7A2F789FE4F685124DF6A47794DF3CC4858700

Function 000002287BC2D3D0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 129
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000002287BC2D3EF
GetCurrentProcess.KERNEL32 ref: 000002287BC2D409
K32GetModuleInformation.KERNEL32 ref: 000002287BC2D420
memset.NTDLL ref: 000002287BC2D438
GetSystemDirectoryW.KERNEL32 ref: 000002287BC2D447
lstrcatW.KERNEL32 ref: 000002287BC2D469
CreateFileW.KERNEL32 ref: 000002287BC2D496
CreateFileMappingW.KERNELBASE ref: 000002287BC2D4BD
MapViewOfFile.KERNEL32 ref: 000002287BC2D4E7
VirtualProtect.KERNEL32 ref: 000002287BC2D582
memcpy.NTDLL ref: 000002287BC2D597
VirtualProtect.KERNEL32 ref: 000002287BC2D5B5

Strings

\ntdll.dll, xrefs: 000002287BC2D455
ntdll.dll, xrefs: 000002287BC2D3DC
.text, xrefs: 000002287BC2D527

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: File$CreateModuleProtectVirtual$CurrentDirectoryHandleInformationMappingProcessSystemViewlstrcatmemcpymemset
String ID: .text$\ntdll.dll$ntdll.dll
API String ID: 992094507-3745270394
Opcode ID: 42c7d1610a26bf8e9f5a24f8acf1d0ddfd7717f4bc4ff8c4f1ddaf0eb027a466
Instruction ID: f0e0e98573805868f52c38209c5807dc512571d6f13f2fbbe5d474f87b257bb2
Opcode Fuzzy Hash: 42c7d1610a26bf8e9f5a24f8acf1d0ddfd7717f4bc4ff8c4f1ddaf0eb027a466
Instruction Fuzzy Hash: 3F518E76315A80D6EB70CFA1E44C79AB3A2F7D9B44F648115DA8E43B58EF38C056CB00

Function 000002287B50D3D0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 129
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000002287B50D3EF
GetCurrentProcess.KERNEL32 ref: 000002287B50D409
K32GetModuleInformation.KERNEL32 ref: 000002287B50D420
memset.NTDLL ref: 000002287B50D438
GetSystemDirectoryW.KERNEL32 ref: 000002287B50D447
lstrcatW.KERNEL32 ref: 000002287B50D469
CreateFileW.KERNEL32 ref: 000002287B50D496
CreateFileMappingW.KERNELBASE ref: 000002287B50D4BD
MapViewOfFile.KERNEL32 ref: 000002287B50D4E7
VirtualProtect.KERNEL32 ref: 000002287B50D582
memcpy.NTDLL ref: 000002287B50D597
VirtualProtect.KERNEL32 ref: 000002287B50D5B5

Strings

ntdll.dll, xrefs: 000002287B50D3DC
\ntdll.dll, xrefs: 000002287B50D455
.text, xrefs: 000002287B50D527

Memory Dump Source

Source File: 00000003.00000002.2495198004.000002287B4E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287B4E0000, based on PE: true

Associated: 00000003.00000002.2495164115.000002287B4E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495245950.000002287B548000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495289698.000002287B55C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495324573.000002287B562000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287b4e0000_svchost.jbxd

Similarity

API ID: File$CreateModuleProtectVirtual$CurrentDirectoryHandleInformationMappingProcessSystemViewlstrcatmemcpymemset
String ID: .text$\ntdll.dll$ntdll.dll
API String ID: 992094507-3745270394
Opcode ID: 42c7d1610a26bf8e9f5a24f8acf1d0ddfd7717f4bc4ff8c4f1ddaf0eb027a466
Instruction ID: 49758b01b897dc62862901d614650b8035c09fcca6c63065ea14fd31c30bdb9a
Opcode Fuzzy Hash: 42c7d1610a26bf8e9f5a24f8acf1d0ddfd7717f4bc4ff8c4f1ddaf0eb027a466
Instruction Fuzzy Hash: 5651AC7A306A80E6EB70DF61F44C79AB7A2F789B44F644115CA9E43B98EF38D155CB00

Function 000002287AD40508 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 231
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000002287AD40627
GetProcAddressForCaller.KERNELBASE ref: 000002287AD406C1

Strings

RtlR, xrefs: 000002287AD40558
ocat, xrefs: 000002287AD40566
l.dl, xrefs: 000002287AD4054B
ateH, xrefs: 000002287AD405B5
l.dl, xrefs: 000002287AD4059A
eHea, xrefs: 000002287AD4056D
RtlA, xrefs: 000002287AD405A7
lloc, xrefs: 000002287AD405AE
eap, xrefs: 000002287AD405BC
ntdl, xrefs: 000002287AD40541
ntdl, xrefs: 000002287AD40593
eAll, xrefs: 000002287AD4055F

Memory Dump Source

Source File: 00000003.00000002.2492147322.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287ad40000_svchost.jbxd

Similarity

API ID: AddressCallerLibraryLoadProc
String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
API String ID: 4215043672-3994871222
Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
Instruction ID: a8996d2fec1ef9385d5ab40acaf3a05924d14e2b28a3354f859b714d7fd49550
Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
Instruction Fuzzy Hash: D371C531614A099FEF98EF98C8497A9BBE1FF94710F254119D80AD7285DF38E8428B85

Function 000002287A7D0508 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 231
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000002287A7D0627

Strings

eap, xrefs: 000002287A7D05BC
ateH, xrefs: 000002287A7D05B5
ntdl, xrefs: 000002287A7D0593
ntdl, xrefs: 000002287A7D0541
lloc, xrefs: 000002287A7D05AE
l.dl, xrefs: 000002287A7D059A
l.dl, xrefs: 000002287A7D054B
eAll, xrefs: 000002287A7D055F
ocat, xrefs: 000002287A7D0566
RtlA, xrefs: 000002287A7D05A7
eHea, xrefs: 000002287A7D056D
RtlR, xrefs: 000002287A7D0558

Memory Dump Source

Source File: 00000003.00000002.2491900595.000002287A7D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287A7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287a7d0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
API String ID: 1029625771-3994871222
Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
Instruction ID: efbd9501a70553fb517be2de5d29759dca93b07878e5e2a2e18b6f62054d071b
Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
Instruction Fuzzy Hash: 0D71F430608A099FEF58DF98C85A7A9B7E1FF84351F205119D84AC7285DF38D8438B85

Function 000002287BC2CAF0 Relevance: 15.1, APIs: 10, Instructions: 65
memoryprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC2CB0B
GetProcessHeap.KERNEL32(?,?,00000000,000002287BC125A0), ref: 000002287BC2CB32
HeapAlloc.KERNEL32(?,?,00000000,000002287BC125A0), ref: 000002287BC2CB46
CloseHandle.KERNEL32(?,?,00000000,000002287BC125A0), ref: 000002287BC2CB57

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Heap$AllocCloseCreateHandleProcessSnapshotToolhelp32
String ID:
API String ID: 1926892967-0
Opcode ID: 83253a1db69bbe089b2caa0e335e3cddcea3a2af0f53c395e1d6b6084172a312
Instruction ID: f11d4660b7a841ea1593bcee37aa81463f1379fa1f086d6ef3a2f54c24c5b9f2
Opcode Fuzzy Hash: 83253a1db69bbe089b2caa0e335e3cddcea3a2af0f53c395e1d6b6084172a312
Instruction Fuzzy Hash: 9121C429205A40D6FB509FA2A90C72AF3A2F7CAFD5F688121DE5647794DF3CC0868700

Function 000002287BC2D860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62commemoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 000002287BC2D8B0
CoCreateInstance.COMBASE ref: 000002287BC2D8D5
CoUninitialize.OLE32 ref: 000002287BC2D8FE
SysAllocString.OLEAUT32 ref: 000002287BC2D916
SysFreeString.OLEAUT32 ref: 000002287BC2D930
CoUninitialize.OLE32 ref: 000002287BC2D94A

Strings

Block All Outbound, xrefs: 000002287BC2D90A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: StringUninitialize$AllocCreateFreeInitializeInstance
String ID: Block All Outbound
API String ID: 4211003860-2946277995
Opcode ID: 37e8deeb53738933e6396a41bf2ce5f7fa4c1b9731e50329b0e805033b26f612
Instruction ID: e2788a2e0d2b1a38a47ff835155059c57d3e5a3863d971863ab702414e912e02
Opcode Fuzzy Hash: 37e8deeb53738933e6396a41bf2ce5f7fa4c1b9731e50329b0e805033b26f612
Instruction Fuzzy Hash: 4E31297AB01B01DAEB00DFB5D84929C7771F794B88B148926DB1D47B28DF34C556CB90

Function 000002287B50D860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62commemoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 000002287B50D8B0
CoCreateInstance.COMBASE ref: 000002287B50D8D5
CoUninitialize.OLE32 ref: 000002287B50D8FE
SysAllocString.OLEAUT32 ref: 000002287B50D916
SysFreeString.OLEAUT32 ref: 000002287B50D930
CoUninitialize.OLE32 ref: 000002287B50D94A

Strings

Block All Outbound, xrefs: 000002287B50D90A

Memory Dump Source

Source File: 00000003.00000002.2495198004.000002287B4E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287B4E0000, based on PE: true

Associated: 00000003.00000002.2495164115.000002287B4E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495245950.000002287B548000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495289698.000002287B55C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495324573.000002287B562000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287b4e0000_svchost.jbxd

Similarity

API ID: StringUninitialize$AllocCreateFreeInitializeInstance
String ID: Block All Outbound
API String ID: 4211003860-2946277995
Opcode ID: 37e8deeb53738933e6396a41bf2ce5f7fa4c1b9731e50329b0e805033b26f612
Instruction ID: 60dd8484a7eb60ad93bfdcef98167938e97e065bcb8d9e00d53dd9ec8dee39f0
Opcode Fuzzy Hash: 37e8deeb53738933e6396a41bf2ce5f7fa4c1b9731e50329b0e805033b26f612
Instruction Fuzzy Hash: 5631057AB01B00DAEB009F75D84829C77B1F794B98F144926DE1E57B28DF38C265CB90

Function 000002287BC1F6C0 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC1F6FE
memcpy.NTDLL ref: 000002287BC1F71A
VirtualFree.KERNEL32 ref: 000002287BC1F80F
VirtualFree.KERNEL32 ref: 000002287BC1F82F
VirtualFree.KERNELBASE ref: 000002287BC1F844

Strings

Z, xrefs: 000002287BC1F724
M, xrefs: 000002287BC1F71F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$Allocmemcpy
String ID: M$Z
API String ID: 2981101286-4250246861
Opcode ID: 16e58d14346dcf98e8e2775617a7dec6ccc8f7a4d8fbf8f21ee40814649467c4
Instruction ID: 6ae8518e259507eb0e671ca0e7b0da1e9d49665ae327a95c53f54a8a6b4772a3
Opcode Fuzzy Hash: 16e58d14346dcf98e8e2775617a7dec6ccc8f7a4d8fbf8f21ee40814649467c4
Instruction Fuzzy Hash: AC414366B11BC591FB018F7DD00832EA792A7D6B94F64C325DB9923395EF38C442C300

Function 000002287B4FF6C0 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287B4FF6FE
memcpy.NTDLL ref: 000002287B4FF71A
VirtualFree.KERNEL32 ref: 000002287B4FF80F
VirtualFree.KERNEL32 ref: 000002287B4FF82F
VirtualFree.KERNELBASE ref: 000002287B4FF844

Strings

M, xrefs: 000002287B4FF71F
Z, xrefs: 000002287B4FF724

Memory Dump Source

Source File: 00000003.00000002.2495198004.000002287B4E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287B4E0000, based on PE: true

Associated: 00000003.00000002.2495164115.000002287B4E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495245950.000002287B548000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495289698.000002287B55C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495324573.000002287B562000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287b4e0000_svchost.jbxd

Similarity

API ID: Virtual$Free$Allocmemcpy
String ID: M$Z
API String ID: 2981101286-4250246861
Opcode ID: 16e58d14346dcf98e8e2775617a7dec6ccc8f7a4d8fbf8f21ee40814649467c4
Instruction ID: 288c369d5bee4311b813956c0fdc8e6ea4a688039fef44c7d9147d7f3a3369d4
Opcode Fuzzy Hash: 16e58d14346dcf98e8e2775617a7dec6ccc8f7a4d8fbf8f21ee40814649467c4
Instruction Fuzzy Hash: B1410426B12BC156FF108F7D940836DA7D2A7E5B94F68D329DA9917385EF39C441C300

Function 000002287BC1FF80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68processthreadinjectionCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 000002287BC2001C
GetLastError.KERNEL32 ref: 000002287BC20026
CloseHandle.KERNEL32 ref: 000002287BC20038
CloseHandle.KERNEL32 ref: 000002287BC2004D
SuspendThread.KERNEL32 ref: 000002287BC2005C

Strings

h, xrefs: 000002287BC20014

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcessSuspendThread
String ID: h
API String ID: 2500411409-2439710439
Opcode ID: de6bad129ac4742c05161f156ad63c97b402b49de6b7de1bf9d965a2b328e7fc
Instruction ID: ac17e15626ac74015d5921d02e93b273241b6cc8650af302814b209bacd46f2d
Opcode Fuzzy Hash: de6bad129ac4742c05161f156ad63c97b402b49de6b7de1bf9d965a2b328e7fc
Instruction Fuzzy Hash: 4E319C36A18B8086F7108F91E45875DB3A4F3D8794F21922AEA8C43B14EFB9C4D1CB00

Function 000002287B4FFF80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68processthreadinjectionCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 000002287B50001C
GetLastError.KERNEL32 ref: 000002287B500026
CloseHandle.KERNEL32 ref: 000002287B500038
CloseHandle.KERNEL32 ref: 000002287B50004D
SuspendThread.KERNEL32 ref: 000002287B50005C

Strings

h, xrefs: 000002287B500014

Memory Dump Source

Source File: 00000003.00000002.2495198004.000002287B4E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287B4E0000, based on PE: true

Associated: 00000003.00000002.2495164115.000002287B4E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495245950.000002287B548000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495289698.000002287B55C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495324573.000002287B562000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287b4e0000_svchost.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcessSuspendThread
String ID: h
API String ID: 2500411409-2439710439
Opcode ID: de6bad129ac4742c05161f156ad63c97b402b49de6b7de1bf9d965a2b328e7fc
Instruction ID: 6f35da95719a8c8a2d7f47c9e4596ce13fe7bd7aa42062eb3290877a1d56dd83
Opcode Fuzzy Hash: de6bad129ac4742c05161f156ad63c97b402b49de6b7de1bf9d965a2b328e7fc
Instruction Fuzzy Hash: CC31A136A19B80C6E750CFA1E45835EB3A5F798790F259229EB9C43B14EF79C4D0CB00

Function 000002287BC26F90 Relevance: 9.0, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 000002287BC26F9E
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC26FBB
VirtualFree.KERNELBASE(?,?,00000000,000002287BC11E65), ref: 000002287BC26FDF
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC26FF6
DeleteCriticalSection.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC27000
VirtualFree.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC27011

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$FreeVirtual$DeleteEnterLeaveRead
String ID:
API String ID: 4123369522-0
Opcode ID: dc521b05a2b1f255d7dad3c1341367fe33828e4c314c95ad538db3ee005c2c52
Instruction ID: 777de6f2a73d53b843d47c77ca32badd0fb58e6e7f089fa99925c517827afe69
Opcode Fuzzy Hash: dc521b05a2b1f255d7dad3c1341367fe33828e4c314c95ad538db3ee005c2c52
Instruction Fuzzy Hash: 4601403A315A40E3FB548F92E69C759A362FBC5B85F58C022DE5A43B54DF38C4968710

Function 000002287B506F90 Relevance: 9.0, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 000002287B506F9E
EnterCriticalSection.KERNEL32(?,?,00000000,000002287B4F1E65), ref: 000002287B506FBB
VirtualFree.KERNELBASE(?,?,00000000,000002287B4F1E65), ref: 000002287B506FDF
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287B4F1E65), ref: 000002287B506FF6
DeleteCriticalSection.KERNEL32(?,?,00000000,000002287B4F1E65), ref: 000002287B507000
VirtualFree.KERNELBASE(?,?,00000000,000002287B4F1E65), ref: 000002287B507011

Memory Dump Source

Source File: 00000003.00000002.2495198004.000002287B4E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287B4E0000, based on PE: true

Associated: 00000003.00000002.2495164115.000002287B4E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495245950.000002287B548000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495289698.000002287B55C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495324573.000002287B562000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287b4e0000_svchost.jbxd

Similarity

API ID: CriticalSection$FreeVirtual$DeleteEnterLeaveRead
String ID:
API String ID: 4123369522-0
Opcode ID: dc521b05a2b1f255d7dad3c1341367fe33828e4c314c95ad538db3ee005c2c52
Instruction ID: 057075e89d22b3b2381241a557f1633094664f74731597caaf3e174fe14e2790
Opcode Fuzzy Hash: dc521b05a2b1f255d7dad3c1341367fe33828e4c314c95ad538db3ee005c2c52
Instruction Fuzzy Hash: 2F01523A315E40E3FB549FA2E55C769E362FB44B94F584420DF6A03B58DF38C0958710

Function 000002287BC2C9E0 Relevance: 7.6, APIs: 5, Instructions: 68processCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC2CA04
CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC2CA0E
Process32FirstW.KERNEL32 ref: 000002287BC2CA31
Process32NextW.KERNEL32 ref: 000002287BC2CA4E
CloseHandle.KERNEL32 ref: 000002287BC2CAD1

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: 25689970270811a04f1bb7179e810be154e641483dfeb96a7efa8f40864eac86
Instruction ID: ce644d17388b8031de2d440b614e8884770c5fa039641817210fb2d6d8166290
Opcode Fuzzy Hash: 25689970270811a04f1bb7179e810be154e641483dfeb96a7efa8f40864eac86
Instruction Fuzzy Hash: 1731392AA09B84D2F710CF68D6083ADA3A1F799B98F59D315DF9902256EF34D6C9C700

Function 000002287B50C9E0 Relevance: 7.6, APIs: 5, Instructions: 68processCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287B50CA04
CreateToolhelp32Snapshot.KERNEL32 ref: 000002287B50CA0E
Process32FirstW.KERNEL32 ref: 000002287B50CA31
Process32NextW.KERNEL32 ref: 000002287B50CA4E
CloseHandle.KERNEL32 ref: 000002287B50CAD1

Memory Dump Source

Source File: 00000003.00000002.2495198004.000002287B4E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287B4E0000, based on PE: true

Associated: 00000003.00000002.2495164115.000002287B4E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495245950.000002287B548000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495289698.000002287B55C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495324573.000002287B562000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287b4e0000_svchost.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: 25689970270811a04f1bb7179e810be154e641483dfeb96a7efa8f40864eac86
Instruction ID: d4e400f08d3cff3b4ce96c6c7efac241c54216eda5bcd42396bb651a3c602717
Opcode Fuzzy Hash: 25689970270811a04f1bb7179e810be154e641483dfeb96a7efa8f40864eac86
Instruction Fuzzy Hash: 8A316D2AA09B84D2E711CF38D5483ADB3A1F79AB98F19D315DF990225AEF34D684D700

Function 00000001800019D0 Relevance: 4.5, APIs: 3, Instructions: 16fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00000001800019D9
SleepEx.KERNEL32 ref: 00000001800019E8
DeleteFileW.KERNEL32 ref: 00000001800019F1

Memory Dump Source

Source File: 00000003.00000002.2485758756.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2485619743.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.0000000180013000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.000000018008E000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2485887283.00000001800B4000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2486883489.0000000180164000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2487001400.0000000180168000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: DeleteFile$Sleep
String ID:
API String ID: 2100639427-0
Opcode ID: 4bda49fe9f4e016e86280c0e6eaa4ce986c0e500d62fac3d8a335016f1c44b02
Instruction ID: 51a75f447c1f7fd9c29322073db99234aa81590105c98bfd672e3405234c2128
Opcode Fuzzy Hash: 4bda49fe9f4e016e86280c0e6eaa4ce986c0e500d62fac3d8a335016f1c44b02
Instruction Fuzzy Hash: 0BD05E20300A4986FB975BB2E8663E513E06B0DBC2F084024980685280DE18C7CE4300

Function 000002287A7D0345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 000002287A7D0395

Memory Dump Source

Source File: 00000003.00000002.2491900595.000002287A7D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287A7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287a7d0000_svchost.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction ID: 964e8646be31001e58704d3ef0f094e919f8cb9693f21dbeba195712fd8d41c6
Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction Fuzzy Hash: C431F53164D6008BDB1CDA5CF8D2668B3D4F795345B34125DE9C7C7187EE39E8038A89

Function 000002287AD40345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 000002287AD40395

Memory Dump Source

Source File: 00000003.00000002.2492147322.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287ad40000_svchost.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction ID: a5ae0ac89267550a9a564b42db3bdc6868bd48b43ae28f0c7d11635472a02656
Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction Fuzzy Hash: 2D31D1316496008BDB5CEA5CE8C6668B7D0FB95704F30015DE987C7187EE3DE8038A89

Function 000002287B860345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 000002287B860395

Memory Dump Source

Source File: 00000003.00000002.2495416719.000002287B860000.00000020.00000400.00020000.00000000.sdmp, Offset: 000002287B860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287b860000_svchost.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction ID: 3e1b54d9f00cff042556d1fbf36586d5cdc5ff62258f2975ffc8847df12e30fc
Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction Fuzzy Hash: D831D1316596048BDB1CDE5CF8C2668B3D1F796349B30015DE997C7187EE39E8038A8D

Non-executed Functions

Function 000002287BC16110 Relevance: 105.2, APIs: 47, Strings: 13, Instructions: 229threadsleepstringCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000002287BC16170

Part of subcall function 000002287BC2C9E0: memset.NTDLL ref: 000002287BC2CA04
Part of subcall function 000002287BC2C9E0: CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC2CA0E
Part of subcall function 000002287BC2C9E0: Process32FirstW.KERNEL32 ref: 000002287BC2CA31
Part of subcall function 000002287BC2C9E0: Process32NextW.KERNEL32 ref: 000002287BC2CA4E
Part of subcall function 000002287BC2C9E0: CloseHandle.KERNEL32 ref: 000002287BC2CAD1

TerminateThread.KERNEL32 ref: 000002287BC161AB
TerminateProcess.KERNEL32 ref: 000002287BC161DB
lstrcmpiW.KERNEL32 ref: 000002287BC161F8
Sleep.KERNEL32 ref: 000002287BC1620D
ExitThread.KERNEL32 ref: 000002287BC16215

Strings

HoopCityBase.dll, xrefs: 000002287BC1637F
sys, xrefs: 000002287BC16244
HoopCity.exe, xrefs: 000002287BC16349
192.197.113.45, xrefs: 000002287BC164DF
Inject Test, xrefs: 000002287BC161EA
MicrosoftEdgeUpdate, xrefs: 000002287BC16230, 000002287BC16296, 000002287BC16529
C:\Program Files\Windows Mail, xrefs: 000002287BC16350, 000002287BC16386, 000002287BC163BC, 000002287BC163F0, 000002287BC16424
install.cfg, xrefs: 000002287BC163E9
\drivers\, xrefs: 000002287BC16284
mimidump.inf, xrefs: 000002287BC163B5
%s\%s, xrefs: 000002287BC16357, 000002287BC1638D, 000002287BC163C3, 000002287BC163F7, 000002287BC1642B
temp.key, xrefs: 000002287BC1641D
.sys, xrefs: 000002287BC162A8

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ProcessProcess32TerminateThread$CloseCreateCurrentExitFirstHandleNextSleepSnapshotToolhelp32lstrcmpimemset
String ID: %s\%s$.sys$192.197.113.45$C:\Program Files\Windows Mail$HoopCity.exe$HoopCityBase.dll$Inject Test$MicrosoftEdgeUpdate$\drivers\$install.cfg$mimidump.inf$sys$temp.key
API String ID: 946687889-777922760
Opcode ID: 355c9c76efd1d1c9ed74d2e3f5f72c78fba995c53ce3eee6f9b89f0540d70f2c
Instruction ID: 7928263303c6e3eaf0c85237b81ef17d80b307dcf723b5ac10030068430e2c8b
Opcode Fuzzy Hash: 355c9c76efd1d1c9ed74d2e3f5f72c78fba995c53ce3eee6f9b89f0540d70f2c
Instruction Fuzzy Hash: A0C12069212A85E2FB20DFA1E95C7D9B362F7C9B49FA4C012C60A47565EF3CC64BC701

Function 000002287BC1CE50 Relevance: 103.7, APIs: 50, Strings: 9, Instructions: 433stringfilememoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC1CE97
memset.NTDLL ref: 000002287BC1CEAB
memset.NTDLL ref: 000002287BC1CEBF
memset.NTDLL ref: 000002287BC1CED3

Part of subcall function 000002287BC2C7F0: WTSEnumerateSessionsW.WTSAPI32 ref: 000002287BC2C82F

CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC1CF02
GetProcessHeap.KERNEL32 ref: 000002287BC1CF14
HeapAlloc.KERNEL32 ref: 000002287BC1CF26
Process32FirstW.KERNEL32 ref: 000002287BC1CF40
lstrcmpiW.KERNEL32 ref: 000002287BC1CF5B
Process32NextW.KERNEL32 ref: 000002287BC1CF6B
GetProcessHeap.KERNEL32 ref: 000002287BC1CF82
HeapFree.KERNEL32 ref: 000002287BC1CF90
CloseHandle.KERNEL32 ref: 000002287BC1CF99
ProcessIdToSessionId.KERNEL32 ref: 000002287BC1CFAC
memset.NTDLL ref: 000002287BC1D05B
memset.NTDLL ref: 000002287BC1D06F
wsprintfW.USER32 ref: 000002287BC1D089
wsprintfW.USER32 ref: 000002287BC1D0A4
FindFirstFileW.KERNEL32 ref: 000002287BC1D0B5
VirtualFree.KERNEL32 ref: 000002287BC1D0EE
VirtualFree.KERNEL32 ref: 000002287BC1D118
VirtualFree.KERNEL32 ref: 000002287BC1D146
VirtualFree.KERNEL32 ref: 000002287BC1D180
VirtualFree.KERNEL32 ref: 000002287BC1D1AA
memset.NTDLL ref: 000002287BC1D1C9
memset.NTDLL ref: 000002287BC1D1DD
wsprintfW.USER32 ref: 000002287BC1D20B
FindFirstFileW.KERNEL32 ref: 000002287BC1D21C
FindNextFileW.KERNEL32 ref: 000002287BC1D239
lstrcmpiW.KERNEL32 ref: 000002287BC1D277
lstrcmpiW.KERNEL32 ref: 000002287BC1D290
lstrcmpiW.KERNEL32 ref: 000002287BC1D2A9
lstrcmpiW.KERNEL32 ref: 000002287BC1D2C2
memset.NTDLL ref: 000002287BC1D2DF
memset.NTDLL ref: 000002287BC1D2F3
lstrcatW.KERNEL32 ref: 000002287BC1D304
lstrcatW.KERNEL32 ref: 000002287BC1D315
lstrcatW.KERNEL32 ref: 000002287BC1D329
lstrcatW.KERNEL32 ref: 000002287BC1D33D
lstrcatW.KERNEL32 ref: 000002287BC1D351
FindFirstFileW.KERNEL32 ref: 000002287BC1D362
FindNextFileW.KERNEL32 ref: 000002287BC1D37D
FindNextFileW.KERNEL32 ref: 000002287BC1D3B8
FindNextFileW.KERNEL32 ref: 000002287BC1D3F6
lstrlenW.KERNEL32 ref: 000002287BC1D407
FindClose.KERNEL32 ref: 000002287BC1D4E2
VirtualFree.KERNEL32 ref: 000002287BC1D4F8
VirtualFree.KERNEL32 ref: 000002287BC1D522
VirtualFree.KERNEL32 ref: 000002287BC1D538
VirtualFree.KERNEL32 ref: 000002287BC1D562

Strings

\Desktop\, xrefs: 000002287BC1D31B
*.*, xrefs: 000002287BC1D343
Default User, xrefs: 000002287BC1D285
%s*.*, xrefs: 000002287BC1D096, 000002287BC1D1F4
Public, xrefs: 000002287BC1D2B7
C:\Users\%s\Desktop\, xrefs: 000002287BC1D07B
All Users, xrefs: 000002287BC1D26C
explorer.exe, xrefs: 000002287BC1CF54
Default, xrefs: 000002287BC1D29E

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Freememset$Virtual$Find$File$Nextlstrcatlstrcmpi$FirstHeap$Processwsprintf$CloseProcess32$AllocCreateEnumerateHandleSessionSessionsSnapshotToolhelp32lstrlen
String ID: %s*.*$*.*$All Users$C:\Users\%s\Desktop\$Default$Default User$Public$\Desktop\$explorer.exe
API String ID: 2219514461-2447876743
Opcode ID: f96d0ee469809c6c1c2e0bd3881d1d19bdd5b3c186d6ccdbc88e305581691bcf
Instruction ID: 6ace871222316d2fb07fd3144312da2bb2e9d579b4351fb4fb0961f020cfa185
Opcode Fuzzy Hash: f96d0ee469809c6c1c2e0bd3881d1d19bdd5b3c186d6ccdbc88e305581691bcf
Instruction Fuzzy Hash: E112067A302A45A5FB64DFA2D85C79DB3A2FBC5B98F64C115CD0A57698EF38C14AC300

Function 000002287BC29390 Relevance: 98.4, APIs: 53, Strings: 3, Instructions: 425stringprocessmemoryCOMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 000002287BC293A5
memset.NTDLL ref: 000002287BC293C7
memset.NTDLL ref: 000002287BC293DB
GetCurrentProcess.KERNEL32 ref: 000002287BC2940A
OpenProcessToken.ADVAPI32 ref: 000002287BC2941D
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC29445
AdjustTokenPrivileges.ADVAPI32 ref: 000002287BC29467
GetLastError.KERNEL32 ref: 000002287BC2946D
CloseHandle.KERNEL32 ref: 000002287BC29483
CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC2948E
Process32FirstW.KERNEL32 ref: 000002287BC294C7
OpenProcess.KERNEL32 ref: 000002287BC294EB
memset.NTDLL ref: 000002287BC29517
lstrcpyW.KERNEL32 ref: 000002287BC29527
GetPriorityClass.KERNEL32 ref: 000002287BC29539
memset.NTDLL ref: 000002287BC29568
memset.NTDLL ref: 000002287BC2957C
OpenProcessToken.ADVAPI32 ref: 000002287BC29597
GetTokenInformation.ADVAPI32 ref: 000002287BC295C9
GlobalAlloc.KERNEL32 ref: 000002287BC295E4
GetTokenInformation.ADVAPI32 ref: 000002287BC29615
LookupAccountSidW.ADVAPI32 ref: 000002287BC29671
LookupAccountSidW.ADVAPI32 ref: 000002287BC296CE
lstrcpyW.KERNEL32 ref: 000002287BC296E6
GlobalFree.KERNEL32 ref: 000002287BC296EF
CloseHandle.KERNEL32 ref: 000002287BC296FF
ProcessIdToSessionId.KERNEL32 ref: 000002287BC2970F
K32GetProcessMemoryInfo.KERNEL32 ref: 000002287BC29743
K32EnumProcessModules.KERNEL32 ref: 000002287BC29776
K32GetProcessImageFileNameW.KERNEL32 ref: 000002287BC2978C
GetLogicalDriveStringsW.KERNEL32 ref: 000002287BC297AE
QueryDosDeviceW.KERNEL32 ref: 000002287BC29804
lstrlenW.KERNEL32 ref: 000002287BC29815
wcsncmp.NTDLL ref: 000002287BC2982F
lstrcpyW.KERNEL32 ref: 000002287BC29865
CreateFileW.KERNEL32 ref: 000002287BC2988F
GetFileSize.KERNEL32 ref: 000002287BC298A3
CloseHandle.KERNEL32 ref: 000002287BC298BA
lstrcpyW.KERNEL32 ref: 000002287BC298CE
lstrcatW.KERNEL32 ref: 000002287BC298E6
CloseHandle.KERNEL32 ref: 000002287BC29915
Process32NextW.KERNEL32 ref: 000002287BC29922
GetCurrentProcess.KERNEL32 ref: 000002287BC29948
OpenProcessToken.ADVAPI32 ref: 000002287BC2995D
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC29981
AdjustTokenPrivileges.ADVAPI32 ref: 000002287BC299A5
GetLastError.KERNEL32 ref: 000002287BC299AB
CloseHandle.KERNEL32 ref: 000002287BC299C1
CloseHandle.KERNEL32 ref: 000002287BC299CF
VirtualFree.KERNEL32 ref: 000002287BC29A69
VirtualFree.KERNEL32 ref: 000002287BC29A93
VirtualFree.KERNEL32 ref: 000002287BC29AB1
VirtualFree.KERNEL32 ref: 000002287BC29ADB

Strings

unknown, xrefs: 000002287BC29796
H, xrefs: 000002287BC29733
SeDebugPrivilege, xrefs: 000002287BC29434, 000002287BC29974

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process$Token$CloseHandle$Freememset$LookupOpenVirtuallstrcpy$File$AccountAdjustCreateCurrentErrorGlobalInformationLastPrivilegePrivilegesProcess32Value$AllocClassDeviceDriveEnumFirstImageInfoLogicalMemoryModulesNameNextPriorityQuerySessionSizeSnapshotStringsToolhelp32__chkstklstrcatlstrlenwcsncmp
String ID: H$SeDebugPrivilege$unknown
API String ID: 976869081-3969872153
Opcode ID: dbc98f8ea325e227135fe9df3ef70e19276db119939f4244fda90c59cafe7649
Instruction ID: ffc38c7a2d4101dfd14ffd0a61aacf6035df4decb730c0aaa8884cab45849bc9
Opcode Fuzzy Hash: dbc98f8ea325e227135fe9df3ef70e19276db119939f4244fda90c59cafe7649
Instruction Fuzzy Hash: BF22B63A602B81D6FB60CFA1D94C7DDB3A2F7C9B98F508116DA5947A98DF38C646C700

Function 000002287BC123E0 Relevance: 79.0, APIs: 37, Strings: 8, Instructions: 242memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC2BA20: VirtualAlloc.KERNEL32 ref: 000002287BC2BA49
Part of subcall function 000002287BC2BA20: memcpy.NTDLL ref: 000002287BC2BA6D
Part of subcall function 000002287BC2BA20: VirtualAlloc.KERNEL32 ref: 000002287BC2BA98
Part of subcall function 000002287BC2BA20: memcpy.NTDLL ref: 000002287BC2BACD
Part of subcall function 000002287BC2BA20: memcpy.NTDLL ref: 000002287BC2BB03
Part of subcall function 000002287BC2BA20: memset.NTDLL ref: 000002287BC2BB9C
Part of subcall function 000002287BC2BA20: ExpandEnvironmentStringsW.KERNEL32 ref: 000002287BC2BBB3
Part of subcall function 000002287BC2BA20: memset.NTDLL ref: 000002287BC2BBC8

Part of subcall function 000002287BC2D3D0: GetModuleHandleW.KERNEL32 ref: 000002287BC2D3EF
Part of subcall function 000002287BC2D3D0: GetCurrentProcess.KERNEL32 ref: 000002287BC2D409
Part of subcall function 000002287BC2D3D0: K32GetModuleInformation.KERNEL32 ref: 000002287BC2D420
Part of subcall function 000002287BC2D3D0: memset.NTDLL ref: 000002287BC2D438
Part of subcall function 000002287BC2D3D0: GetSystemDirectoryW.KERNEL32 ref: 000002287BC2D447
Part of subcall function 000002287BC2D3D0: lstrcatW.KERNEL32 ref: 000002287BC2D469
Part of subcall function 000002287BC2D3D0: CreateFileW.KERNEL32 ref: 000002287BC2D496
Part of subcall function 000002287BC2D3D0: CreateFileMappingW.KERNELBASE ref: 000002287BC2D4BD
Part of subcall function 000002287BC2D3D0: MapViewOfFile.KERNEL32 ref: 000002287BC2D4E7
Part of subcall function 000002287BC2D3D0: VirtualProtect.KERNEL32 ref: 000002287BC2D582
Part of subcall function 000002287BC2D3D0: memcpy.NTDLL ref: 000002287BC2D597

WSAStartup.WS2_32 ref: 000002287BC12407

Part of subcall function 000002287BC2D860: CoInitializeEx.OLE32 ref: 000002287BC2D8B0
Part of subcall function 000002287BC2D860: CoCreateInstance.COMBASE ref: 000002287BC2D8D5
Part of subcall function 000002287BC2D860: CoUninitialize.OLE32 ref: 000002287BC2D8FE

GetCommandLineW.KERNEL32 ref: 000002287BC12444
CommandLineToArgvW.SHELL32 ref: 000002287BC12454

Part of subcall function 000002287BC1B120: VirtualAlloc.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B137
Part of subcall function 000002287BC1B120: CreateEventW.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B1C1
Part of subcall function 000002287BC1B120: VirtualAlloc.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B1E6
Part of subcall function 000002287BC1B120: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B1F8
Part of subcall function 000002287BC1B120: VirtualAlloc.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B21D
Part of subcall function 000002287BC1B120: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B22F
Part of subcall function 000002287BC1B120: VirtualAlloc.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B254
Part of subcall function 000002287BC1B120: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B266
Part of subcall function 000002287BC1B120: VirtualAlloc.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B28B
Part of subcall function 000002287BC1B120: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B29D

VirtualAlloc.KERNEL32 ref: 000002287BC12475
InitializeCriticalSection.KERNEL32 ref: 000002287BC12487
VirtualAlloc.KERNEL32 ref: 000002287BC124AC
InitializeCriticalSection.KERNEL32 ref: 000002287BC124BE
memset.NTDLL ref: 000002287BC124DF
GetCurrentProcessId.KERNEL32 ref: 000002287BC124E4
lstrcmpiW.KERNEL32 ref: 000002287BC12504
lstrcmpiW.KERNEL32 ref: 000002287BC1251F
ExitThread.KERNEL32 ref: 000002287BC12530

Strings

HoopCity.exe, xrefs: 000002287BC12594
perfmon.exe, xrefs: 000002287BC12537
/Processid:{F8284233-48F4-4680-ADDD-F8284233}, xrefs: 000002287BC12721, 000002287BC12747
Schedule, xrefs: 000002287BC12578, 000002287BC12798
Inject Test, xrefs: 000002287BC124F6
taskmgr.exe, xrefs: 000002287BC12513
svchost.exe, xrefs: 000002287BC1255E
C:\Program Files\Windows Mail, xrefs: 000002287BC126B6

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$Initialize$CriticalSection$Creatememcpymemset$File$CommandCurrentLineModuleProcesslstrcmpi$ArgvDirectoryEnvironmentEventExitExpandHandleInformationInstanceMappingProtectStartupStringsSystemThreadUninitializeViewlstrcat
String ID: /Processid:{F8284233-48F4-4680-ADDD-F8284233}$C:\Program Files\Windows Mail$HoopCity.exe$Inject Test$Schedule$perfmon.exe$svchost.exe$taskmgr.exe
API String ID: 3540647475-945176800
Opcode ID: 52c341ef86cc80a7abd342705fbefd9b5f0097be15025d5684c8ff902fd2cb03
Instruction ID: 728f72a8396bef29742e6950f33555591ae72e74c6ab11ead7516c0fcdb453fb
Opcode Fuzzy Hash: 52c341ef86cc80a7abd342705fbefd9b5f0097be15025d5684c8ff902fd2cb03
Instruction Fuzzy Hash: 33B1926D202B85E2FB209FA1ED5C799A363FBC5745F64C016D90A576A4EF38C587C700

Function 000002287BC1EBA0 Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 330memorystringprocessCOMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 000002287BC1EBB4
memset.NTDLL ref: 000002287BC1EBD8
GetWindowsDirectoryW.KERNEL32 ref: 000002287BC1EBE6
GetLastError.KERNEL32 ref: 000002287BC1EBF0
lstrcatW.KERNEL32 ref: 000002287BC1EC09
CreateFileW.KERNEL32 ref: 000002287BC1EC88
GetLastError.KERNEL32 ref: 000002287BC1EC97
WriteFile.KERNEL32 ref: 000002287BC1ECB4
GetLastError.KERNEL32 ref: 000002287BC1ECBE
CloseHandle.KERNEL32 ref: 000002287BC1ECCC
CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC1ECE3
GetProcessHeap.KERNEL32 ref: 000002287BC1ECF2
HeapAlloc.KERNEL32 ref: 000002287BC1ED06
CloseHandle.KERNEL32 ref: 000002287BC1ED17
GetLastError.KERNEL32 ref: 000002287BC1ED1D
Process32FirstW.KERNEL32 ref: 000002287BC1ED5A
lstrcmpiW.KERNEL32 ref: 000002287BC1ED6F
Process32NextW.KERNEL32 ref: 000002287BC1ED8E
GetProcessHeap.KERNEL32 ref: 000002287BC1ED98
HeapFree.KERNEL32 ref: 000002287BC1EDA6
CloseHandle.KERNEL32 ref: 000002287BC1EDB4
memset.NTDLL ref: 000002287BC1EDC9
memset.NTDLL ref: 000002287BC1EDDD
memset.NTDLL ref: 000002287BC1EDF1
memset.NTDLL ref: 000002287BC1EE05
memset.NTDLL ref: 000002287BC1EEA1
memset.NTDLL ref: 000002287BC1EEB5
PathRemoveFileSpecW.SHLWAPI ref: 000002287BC1EECF
wsprintfW.USER32 ref: 000002287BC1EEED
CreateProcessW.KERNEL32 ref: 000002287BC1EF33
CloseHandle.KERNEL32 ref: 000002287BC1EF45
CloseHandle.KERNEL32 ref: 000002287BC1EF5A
memset.NTDLL ref: 000002287BC1EF78
wsprintfW.USER32 ref: 000002287BC1EF95
lstrlenW.KERNEL32 ref: 000002287BC1EFA2
VirtualFree.KERNEL32 ref: 000002287BC1F099
VirtualFree.KERNEL32 ref: 000002287BC1F0C3
VirtualFree.KERNEL32 ref: 000002287BC1F0D9
VirtualFree.KERNEL32 ref: 000002287BC1F103

Part of subcall function 000002287BC26F90: IsBadReadPtr.KERNEL32 ref: 000002287BC26F9E
Part of subcall function 000002287BC26F90: EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC26FBB
Part of subcall function 000002287BC26F90: VirtualFree.KERNELBASE(?,?,00000000,000002287BC11E65), ref: 000002287BC26FDF
Part of subcall function 000002287BC26F90: LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC26FF6
Part of subcall function 000002287BC26F90: DeleteCriticalSection.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC27000
Part of subcall function 000002287BC26F90: VirtualFree.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC27011

Strings

rar.exe a "tdata_%d.rar" %s -m5, xrefs: 000002287BC1EEDF
%s\tdata_%d.rar, xrefs: 000002287BC1EF87
\rar.exe, xrefs: 000002287BC1EBF6
Telegram.exe, xrefs: 000002287BC1ED68
"tdata\key_datas" "tdata\D877F783D5D3EF8Cs" "tdata\D877F783D5D3EF8C\configs" "tdata\D877F783D5D3EF8C\maps" "tdata\A7FDF864FBC10B77, xrefs: 000002287BC1EED5

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: memset$Free$Virtual$CloseHandle$ErrorHeapLast$CreateCriticalFileProcessSection$Process32wsprintf$AllocDeleteDirectoryEnterFirstLeaveNextPathReadRemoveSnapshotSpecToolhelp32WindowsWrite__chkstklstrcatlstrcmpilstrlen
String ID: "tdata\key_datas" "tdata\D877F783D5D3EF8Cs" "tdata\D877F783D5D3EF8C\configs" "tdata\D877F783D5D3EF8C\maps" "tdata\A7FDF864FBC10B77$%s\tdata_%d.rar$Telegram.exe$\rar.exe$rar.exe a "tdata_%d.rar" %s -m5
API String ID: 1825664495-2162963810
Opcode ID: 82cea7463d976c17f81840de5f559da3749c9e29b869f7e27d444af30f97aed6
Instruction ID: 03915326a3972a1e4a093ccaa77abc9d7a73064b0b940239cc45b4f8b78317aa
Opcode Fuzzy Hash: 82cea7463d976c17f81840de5f559da3749c9e29b869f7e27d444af30f97aed6
Instruction Fuzzy Hash: 82E1B43A702B8196FB20DFA1D95C79DA3A6FBC9B88F508115CE4A57B58DF38C256C700

Function 000002287BC17840 Relevance: 73.8, APIs: 26, Strings: 16, Instructions: 273memorythreadstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC17869
GetSystemDirectoryW.KERNEL32 ref: 000002287BC1787A
GetLastError.KERNEL32 ref: 000002287BC17884
lstrcatW.KERNEL32 ref: 000002287BC17A5B
IsBadReadPtr.KERNEL32 ref: 000002287BC17A70
EnterCriticalSection.KERNEL32 ref: 000002287BC17A86
LeaveCriticalSection.KERNEL32 ref: 000002287BC17AA9

Part of subcall function 000002287BC207E0: VirtualAlloc.KERNEL32(?,?,?,?,?,?,00100000,000002287BC11B37), ref: 000002287BC207F7
Part of subcall function 000002287BC207E0: GetCurrentProcess.KERNEL32 ref: 000002287BC20828
Part of subcall function 000002287BC207E0: OpenProcessToken.ADVAPI32 ref: 000002287BC20839
Part of subcall function 000002287BC207E0: LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC20861
Part of subcall function 000002287BC207E0: AdjustTokenPrivileges.KERNELBASE ref: 000002287BC20881
Part of subcall function 000002287BC207E0: GetLastError.KERNEL32 ref: 000002287BC20887
Part of subcall function 000002287BC207E0: CloseHandle.KERNEL32 ref: 000002287BC2089B
Part of subcall function 000002287BC207E0: VirtualAlloc.KERNEL32 ref: 000002287BC208B2
Part of subcall function 000002287BC207E0: InitializeCriticalSection.KERNEL32 ref: 000002287BC208C4
Part of subcall function 000002287BC207E0: IsBadReadPtr.KERNEL32 ref: 000002287BC208DD
Part of subcall function 000002287BC207E0: EnterCriticalSection.KERNEL32 ref: 000002287BC208F0
Part of subcall function 000002287BC207E0: VirtualAlloc.KERNEL32 ref: 000002287BC20907
Part of subcall function 000002287BC207E0: LeaveCriticalSection.KERNEL32 ref: 000002287BC20936
Part of subcall function 000002287BC207E0: IsBadReadPtr.KERNEL32 ref: 000002287BC20948
Part of subcall function 000002287BC207E0: EnterCriticalSection.KERNEL32 ref: 000002287BC2095B
Part of subcall function 000002287BC207E0: VirtualAlloc.KERNEL32 ref: 000002287BC20972

IsBadReadPtr.KERNEL32 ref: 000002287BC17B24
EnterCriticalSection.KERNEL32 ref: 000002287BC17B37
VirtualAlloc.KERNEL32 ref: 000002287BC17B4F
LeaveCriticalSection.KERNEL32 ref: 000002287BC17B73
CreateThread.KERNEL32 ref: 000002287BC17BA3
IsBadReadPtr.KERNEL32 ref: 000002287BC17BC7
EnterCriticalSection.KERNEL32 ref: 000002287BC17BDA
VirtualAlloc.KERNEL32 ref: 000002287BC17BF1
LeaveCriticalSection.KERNEL32 ref: 000002287BC17C15
memset.NTDLL ref: 000002287BC17C35
GetCurrentProcessId.KERNEL32 ref: 000002287BC17C3A
wsprintfW.USER32 ref: 000002287BC17C54
IsBadReadPtr.KERNEL32 ref: 000002287BC17C77
EnterCriticalSection.KERNEL32 ref: 000002287BC17C8A
VirtualAlloc.KERNEL32 ref: 000002287BC17CA1
LeaveCriticalSection.KERNEL32 ref: 000002287BC17CC5
CreateThread.KERNEL32 ref: 000002287BC17CE7
VirtualFree.KERNEL32 ref: 000002287BC17D0D
LeaveCriticalSection.KERNEL32 ref: 000002287BC17D3D

Strings

j:H:, xrefs: 000002287BC178F2
A:|:, xrefs: 000002287BC1793A
{:~:, xrefs: 000002287BC179A5
V:V:, xrefs: 000002287BC178A7
_:I:, xrefs: 000002287BC1791C
f:^:, xrefs: 000002287BC1789B
R:U:, xrefs: 000002287BC178B3
U:Y:, xrefs: 000002287BC17914
^:, xrefs: 000002287BC1792C
I:S:, xrefs: 000002287BC17924
\\.\Pipe\%d_pipe%d, xrefs: 000002287BC17C43
:, xrefs: 000002287BC179F0
I:N:, xrefs: 000002287BC178BF
:G:, xrefs: 000002287BC179CF
~:~:, xrefs: 000002287BC179AC
B:_:, xrefs: 000002287BC178D7

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$Alloc$EnterLeaveRead$Process$CreateCurrentErrorLastThreadTokenmemset$AdjustCloseDirectoryFreeHandleInitializeLookupOpenPrivilegePrivilegesSystemValuelstrcatwsprintf
String ID: :G:$:$A:|:$B:_:$I:N:$I:S:$R:U:$U:Y:$V:V:$\\.\Pipe\%d_pipe%d$^:$_:I:$f:^:$j:H:${:~:$~:~:
API String ID: 1888231936-1994672154
Opcode ID: cbf6abfbc033660e843f0a5311465038b5e1e59bb17b533fa7d65659cda686bd
Instruction ID: cb01392dbc2d8ea6f59f1be2ef4df6e88bbcd4258b8f6c3f1ffb207a373eee48
Opcode Fuzzy Hash: cbf6abfbc033660e843f0a5311465038b5e1e59bb17b533fa7d65659cda686bd
Instruction Fuzzy Hash: 88E1BF77606B80DAF7108F71E8087AEB7A1F7C9B48F149216DE9917A58EF38D585CB00

Function 000002287BC27320 Relevance: 72.1, APIs: 38, Strings: 3, Instructions: 334stringnetworkmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC27349
lstrlenW.KERNEL32 ref: 000002287BC27366
lstrlenW.KERNEL32 ref: 000002287BC27379
GetCurrentProcess.KERNEL32 ref: 000002287BC2738F
OpenProcessToken.ADVAPI32 ref: 000002287BC273A3
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC273CB
AdjustTokenPrivileges.ADVAPI32 ref: 000002287BC273ED
GetLastError.KERNEL32 ref: 000002287BC273F3
CloseHandle.KERNEL32 ref: 000002287BC27409
GetExtendedTcpTable.IPHLPAPI ref: 000002287BC2742F
VirtualAlloc.KERNEL32 ref: 000002287BC27447
GetExtendedTcpTable.IPHLPAPI ref: 000002287BC2747A
VirtualFree.KERNEL32 ref: 000002287BC2748F
memset.NTDLL ref: 000002287BC2750F
lstrlenW.KERNEL32 ref: 000002287BC2752A
memset.NTDLL ref: 000002287BC275A9
inet_ntoa.WS2_32 ref: 000002287BC275B1
lstrcpyA.KERNEL32 ref: 000002287BC275BE
lstrlenA.KERNEL32 ref: 000002287BC275C8
htons.WS2_32 ref: 000002287BC275F7
memset.NTDLL ref: 000002287BC27636
inet_ntoa.WS2_32 ref: 000002287BC2763E
lstrcpyA.KERNEL32 ref: 000002287BC2764E
lstrlenA.KERNEL32 ref: 000002287BC2765B
htons.WS2_32 ref: 000002287BC2768D
memset.NTDLL ref: 000002287BC276BC
lstrlenW.KERNEL32 ref: 000002287BC276D7
VirtualFree.KERNEL32 ref: 000002287BC2772E
GetCurrentProcess.KERNEL32 ref: 000002287BC27744
OpenProcessToken.ADVAPI32 ref: 000002287BC27759
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC2777E
AdjustTokenPrivileges.ADVAPI32 ref: 000002287BC277A2
GetLastError.KERNEL32 ref: 000002287BC277A8
CloseHandle.KERNEL32 ref: 000002287BC277BE
VirtualFree.KERNEL32 ref: 000002287BC27867
VirtualFree.KERNEL32 ref: 000002287BC27891
VirtualFree.KERNEL32 ref: 000002287BC278AF
VirtualFree.KERNEL32 ref: 000002287BC278D9

Strings

TCP, xrefs: 000002287BC27351, 000002287BC27590
System, xrefs: 000002287BC2736E
SeDebugPrivilege, xrefs: 000002287BC273BA, 000002287BC27770

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Freelstrlen$memset$ProcessToken$AdjustCloseCurrentErrorExtendedHandleLastLookupOpenPrivilegePrivilegesTableValuehtonsinet_ntoalstrcpy$Alloc
String ID: SeDebugPrivilege$System$TCP
API String ID: 2139412910-32757284
Opcode ID: a77dbad989e3143b53eb5463b68a4ac7d5beef60ca2f518ecfe8aa5f64c1cf06
Instruction ID: ac6bd9236a5d8a734e7fcb98b48a33d9efd7898dd9ca2272e71a3c168d4b8507
Opcode Fuzzy Hash: a77dbad989e3143b53eb5463b68a4ac7d5beef60ca2f518ecfe8aa5f64c1cf06
Instruction Fuzzy Hash: A2F1927A311B80D6FB20DFA1E858B9EB761F7C9B98F508116CA5A47B58DF38C549CB00

Function 000002287BC16790 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 267stringfileprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC167EC
VirtualFree.KERNEL32 ref: 000002287BC16816
VirtualAlloc.KERNEL32 ref: 000002287BC1687B
VirtualFree.KERNEL32 ref: 000002287BC168AD
VirtualFree.KERNEL32 ref: 000002287BC168D7
memcpy.NTDLL ref: 000002287BC168FD
memcpy.NTDLL ref: 000002287BC169A8
memset.NTDLL ref: 000002287BC169B9
memset.NTDLL ref: 000002287BC169CD
lstrcatW.KERNEL32 ref: 000002287BC169DD
lstrcatW.KERNEL32 ref: 000002287BC169EE
lstrcatW.KERNEL32 ref: 000002287BC169FF
lstrcatW.KERNEL32 ref: 000002287BC16A10
lstrcatW.KERNEL32 ref: 000002287BC16A24
MoveFileW.KERNEL32 ref: 000002287BC16A35
CreateFileW.KERNEL32 ref: 000002287BC16A69
GetLastError.KERNEL32 ref: 000002287BC16A78
WriteFile.KERNEL32 ref: 000002287BC16A97
GetLastError.KERNEL32 ref: 000002287BC16AA1
CloseHandle.KERNEL32 ref: 000002287BC16AB1
MoveFileW.KERNEL32 ref: 000002287BC16AC6
VirtualFree.KERNEL32 ref: 000002287BC16AD7
CloseHandle.KERNEL32 ref: 000002287BC16AEA
DeleteFileW.KERNEL32 ref: 000002287BC16AF7
VirtualFree.KERNEL32 ref: 000002287BC16B08
memset.NTDLL ref: 000002287BC16B5D
lstrcatW.KERNEL32 ref: 000002287BC16B70
lstrcatW.KERNEL32 ref: 000002287BC16B84
lstrcatW.KERNEL32 ref: 000002287BC16B98
CreateProcessW.KERNEL32 ref: 000002287BC16BD8
GetLastError.KERNEL32 ref: 000002287BC16BE2
CloseHandle.KERNEL32 ref: 000002287BC16BF2
CloseHandle.KERNEL32 ref: 000002287BC16C07
GetCurrentProcess.KERNEL32 ref: 000002287BC16C12
TerminateProcess.KERNEL32 ref: 000002287BC16C20

Strings

mimidump.inf, xrefs: 000002287BC169F4
HoopCity.exe, xrefs: 000002287BC16B8A
.bak, xrefs: 000002287BC16A16
192.197.113.45, xrefs: 000002287BC168F0
h, xrefs: 000002287BC16B27
C:\Program Files\Windows Mail, xrefs: 000002287BC169D2, 000002287BC16B62

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$lstrcat$AllocCriticalFreeSection$File$CloseHandle$EnterErrorLastProcessReadmemset$CreateLeaveMovememcpy$CurrentDeleteInitializeTerminateWrite
String ID: .bak$192.197.113.45$C:\Program Files\Windows Mail$HoopCity.exe$h$mimidump.inf
API String ID: 2211108363-2944313569
Opcode ID: 4b1dad8eeb07ee2139cf08c80e806bc58869bd98048bae184d219c2ede71a2c0
Instruction ID: 26c6f6b70fcee49bad4cf512cd7b5373e34950993c949993c6adc9acf7d3f56d
Opcode Fuzzy Hash: 4b1dad8eeb07ee2139cf08c80e806bc58869bd98048bae184d219c2ede71a2c0
Instruction Fuzzy Hash: 32D1D436712B8196FB20CFB5D9587A9B362FBC574CF10C226DA8A57A64EF38C156C700

Function 000002287BC27900 Relevance: 66.8, APIs: 34, Strings: 4, Instructions: 324stringmemorynetworkCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC27929
lstrlenW.KERNEL32 ref: 000002287BC27946
lstrlenW.KERNEL32 ref: 000002287BC27959
GetCurrentProcess.KERNEL32 ref: 000002287BC2796F
OpenProcessToken.ADVAPI32 ref: 000002287BC27983
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC279AB
AdjustTokenPrivileges.ADVAPI32 ref: 000002287BC279CD
GetLastError.KERNEL32 ref: 000002287BC279D3
CloseHandle.KERNEL32 ref: 000002287BC279E9
GetExtendedUdpTable.IPHLPAPI ref: 000002287BC27A0F
VirtualAlloc.KERNEL32 ref: 000002287BC27A27
GetExtendedUdpTable.IPHLPAPI ref: 000002287BC27A5A
VirtualFree.KERNEL32 ref: 000002287BC27A6F
memset.NTDLL ref: 000002287BC27AEF
lstrlenW.KERNEL32 ref: 000002287BC27B0A
memset.NTDLL ref: 000002287BC27B89
inet_ntoa.WS2_32 ref: 000002287BC27B91
lstrcpyA.KERNEL32 ref: 000002287BC27B9E
lstrlenA.KERNEL32 ref: 000002287BC27BA8
htons.WS2_32 ref: 000002287BC27BD7
lstrlenA.KERNEL32 ref: 000002287BC27C14
memset.NTDLL ref: 000002287BC27C6B
lstrlenW.KERNEL32 ref: 000002287BC27C86
VirtualFree.KERNEL32 ref: 000002287BC27CDD
GetCurrentProcess.KERNEL32 ref: 000002287BC27CF3
OpenProcessToken.ADVAPI32 ref: 000002287BC27D08
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC27D2D
AdjustTokenPrivileges.ADVAPI32 ref: 000002287BC27D51
GetLastError.KERNEL32 ref: 000002287BC27D57
CloseHandle.KERNEL32 ref: 000002287BC27D6D
VirtualFree.KERNEL32 ref: 000002287BC27E14
VirtualFree.KERNEL32 ref: 000002287BC27E3E
VirtualFree.KERNEL32 ref: 000002287BC27E5C
VirtualFree.KERNEL32 ref: 000002287BC27E86

Part of subcall function 000002287BC26F90: IsBadReadPtr.KERNEL32 ref: 000002287BC26F9E
Part of subcall function 000002287BC26F90: EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC26FBB
Part of subcall function 000002287BC26F90: VirtualFree.KERNELBASE(?,?,00000000,000002287BC11E65), ref: 000002287BC26FDF
Part of subcall function 000002287BC26F90: LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC26FF6
Part of subcall function 000002287BC26F90: DeleteCriticalSection.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC27000
Part of subcall function 000002287BC26F90: VirtualFree.KERNEL32(?,?,00000000,000002287BC11E65), ref: 000002287BC27011

Strings

UDP, xrefs: 000002287BC27931, 000002287BC27B70
System, xrefs: 000002287BC2794E
SeDebugPrivilege, xrefs: 000002287BC2799A, 000002287BC27D1F
0.0.0.0, xrefs: 000002287BC27C0D, 000002287BC27C34

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$lstrlen$ProcessTokenmemset$CriticalSection$AdjustCloseCurrentErrorExtendedHandleLastLookupOpenPrivilegePrivilegesTableValue$AllocDeleteEnterLeaveReadhtonsinet_ntoalstrcpy
String ID: 0.0.0.0$SeDebugPrivilege$System$UDP
API String ID: 3759433425-459619966
Opcode ID: 16bc5c60dd7153e9d206d0a92f103a65cf3b9e04207a802a4ba7105ac1c2b3de
Instruction ID: 8c8e439fe694686c6e185f44bd2b2cb01af4315b21216a279d7226ecf122c73b
Opcode Fuzzy Hash: 16bc5c60dd7153e9d206d0a92f103a65cf3b9e04207a802a4ba7105ac1c2b3de
Instruction Fuzzy Hash: 2CF1947A311B40D6F720DF61E85879EB762F7C9B98F508116CA5A47B58DF38C549CB00

Function 000002287BC28910 Relevance: 63.3, APIs: 26, Strings: 10, Instructions: 311stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC28960
VirtualFree.KERNEL32 ref: 000002287BC2898A
VirtualAlloc.KERNEL32 ref: 000002287BC289D9
IsBadReadPtr.KERNEL32 ref: 000002287BC28A3B
EnterCriticalSection.KERNEL32 ref: 000002287BC28A63
LeaveCriticalSection.KERNEL32 ref: 000002287BC28A86
IsBadReadPtr.KERNEL32 ref: 000002287BC28AEC
VirtualAlloc.KERNEL32 ref: 000002287BC28B22
VirtualFree.KERNEL32 ref: 000002287BC28B51
VirtualFree.KERNEL32 ref: 000002287BC28B7B
memset.NTDLL ref: 000002287BC28B90
lstrcatA.KERNEL32 ref: 000002287BC28BB1
LeaveCriticalSection.KERNEL32 ref: 000002287BC28BCE
lstrcatW.KERNEL32 ref: 000002287BC28BF6
memcpy.NTDLL ref: 000002287BC28CB0
memset.NTDLL ref: 000002287BC28CD6
GetWindowsDirectoryW.KERNEL32 ref: 000002287BC28CED
GetLastError.KERNEL32 ref: 000002287BC28CF7
lstrcatW.KERNEL32 ref: 000002287BC28D08
GetSystemDirectoryW.KERNEL32 ref: 000002287BC28D20
GetLastError.KERNEL32 ref: 000002287BC28D2A
lstrcatW.KERNEL32 ref: 000002287BC28DAD
lstrcatW.KERNEL32 ref: 000002287BC28DBE
lstrcatW.KERNEL32 ref: 000002287BC28DCB
VirtualFree.KERNEL32 ref: 000002287BC28E1B
VirtualFree.KERNEL32 ref: 000002287BC28E2C

Strings

\syswow64, xrefs: 000002287BC28CFD
UDP, xrefs: 000002287BC28BDD
:, xrefs: 000002287BC28D73
TCP, xrefs: 000002287BC28BC2
f:^:, xrefs: 000002287BC28D48
V:V:, xrefs: 000002287BC28D40
I:N:, xrefs: 000002287BC28D5B
HTTP, xrefs: 000002287BC28BE8
R:U:, xrefs: 000002287BC28D4D
B:_:, xrefs: 000002287BC28D6B

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Freelstrcat$Read$EnterLeave$DirectoryErrorLastmemset$InitializeSystemWindowsmemcpy
String ID: :$B:_:$HTTP$I:N:$R:U:$TCP$UDP$V:V:$\syswow64$f:^:
API String ID: 1846020110-2823427824
Opcode ID: edbfb01272db3de893631aa679e99bae4e572f143876ddc411167b8806cc7192
Instruction ID: 86ad6fb9a7b903f9931a8811f68cdee087bee72fbf09522d0d55e789637c0ba3
Opcode Fuzzy Hash: edbfb01272db3de893631aa679e99bae4e572f143876ddc411167b8806cc7192
Instruction Fuzzy Hash: 39E1A23A716A80D6FB20CFA6D94CBADB362FBC9B84F548115CE4A47A54DF38D586C700

Function 000002287BC18F00 Relevance: 63.2, APIs: 28, Strings: 8, Instructions: 243memorystringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC18F59
VirtualFree.KERNEL32 ref: 000002287BC18F83
memset.NTDLL ref: 000002287BC18FC0
lstrcatA.KERNEL32 ref: 000002287BC18FE1
lstrcatW.KERNEL32 ref: 000002287BC19014
memcpy.NTDLL ref: 000002287BC190DB
memset.NTDLL ref: 000002287BC19104
GetWindowsDirectoryW.KERNEL32 ref: 000002287BC19116
GetLastError.KERNEL32 ref: 000002287BC19120
lstrcatW.KERNEL32 ref: 000002287BC19132
GetSystemDirectoryW.KERNEL32 ref: 000002287BC19147
GetLastError.KERNEL32 ref: 000002287BC19151
lstrcatW.KERNEL32 ref: 000002287BC19163
CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC19175
GetProcessHeap.KERNEL32 ref: 000002287BC19184
HeapAlloc.KERNEL32 ref: 000002287BC19198
CloseHandle.KERNEL32 ref: 000002287BC191A9
WTSGetActiveConsoleSessionId.KERNEL32 ref: 000002287BC191B9
Process32FirstW.KERNEL32 ref: 000002287BC191CA
lstrcmpiW.KERNEL32 ref: 000002287BC191DF
Process32NextW.KERNEL32 ref: 000002287BC191EF
GetProcessHeap.KERNEL32 ref: 000002287BC191FF
HeapFree.KERNEL32 ref: 000002287BC1920D
CloseHandle.KERNEL32 ref: 000002287BC19216
ProcessIdToSessionId.KERNEL32 ref: 000002287BC1922B
VirtualFree.KERNEL32 ref: 000002287BC19275
VirtualFree.KERNEL32 ref: 000002287BC192A5
VirtualFree.KERNEL32 ref: 000002287BC192C3

Strings

\syswow64, xrefs: 000002287BC19126
UDP, xrefs: 000002287BC18FFB
TCP, xrefs: 000002287BC18FF2
@, xrefs: 000002287BC1913A
HTTP, xrefs: 000002287BC19006
\dllhost.exe, xrefs: 000002287BC19157
, xrefs: 000002287BC19109
explorer.exe, xrefs: 000002287BC191D8

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalFreeSection$Heaplstrcat$EnterProcessRead$CloseDirectoryErrorHandleLastLeaveProcess32Sessionmemset$ActiveConsoleCreateFirstInitializeNextSnapshotSystemToolhelp32Windowslstrcmpimemcpy
String ID: $@$HTTP$TCP$UDP$\dllhost.exe$\syswow64$explorer.exe
API String ID: 2239626338-2826464075
Opcode ID: f421e5e7cd2067f34048b2c34d3348e2c2e1a5cb60743fcfc2c0d18429ac0c0c
Instruction ID: 15dca2e4313ccf5254747a9c7fb9be607b6f8190ac36b73fed489283bf5f5df9
Opcode Fuzzy Hash: f421e5e7cd2067f34048b2c34d3348e2c2e1a5cb60743fcfc2c0d18429ac0c0c
Instruction Fuzzy Hash: DFB1B86A602B84E6FB14CFB6D95C799A3A2FBC9B84F64C215CA4957A54EF38C147C300

Function 000002287BC29EA0 Relevance: 59.8, APIs: 30, Strings: 4, Instructions: 347stringmemoryinjectionCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC29F4C
GetLastError.KERNEL32 ref: 000002287BC29F5A
VirtualFree.KERNEL32 ref: 000002287BC29F7A
VirtualFree.KERNEL32 ref: 000002287BC29FA4
GetLastError.KERNEL32 ref: 000002287BC29FAA
memset.NTDLL ref: 000002287BC29FEA
lstrcatW.KERNEL32 ref: 000002287BC2A0B0
lstrcatW.KERNEL32 ref: 000002287BC2A0C4
lstrcatW.KERNEL32 ref: 000002287BC2A0D8
memset.NTDLL ref: 000002287BC2A0ED
memset.NTDLL ref: 000002287BC2A101
memcpy.NTDLL ref: 000002287BC2A21B
VirtualFree.KERNEL32 ref: 000002287BC2A264
VirtualFree.KERNEL32 ref: 000002287BC2A27A
VirtualFree.KERNEL32 ref: 000002287BC2A2A4
VirtualFree.KERNEL32 ref: 000002287BC2A2B5
OpenProcess.KERNEL32 ref: 000002287BC2A2EA
VirtualAllocEx.KERNEL32 ref: 000002287BC2A31D
WriteProcessMemory.KERNEL32 ref: 000002287BC2A346
CreateRemoteThread.KERNEL32 ref: 000002287BC2A370
VirtualFree.KERNEL32 ref: 000002287BC2A38F
VirtualFree.KERNEL32 ref: 000002287BC2A3B9
VirtualFree.KERNEL32 ref: 000002287BC2A3CA
GetLastError.KERNEL32 ref: 000002287BC2A3DF

Part of subcall function 000002287BC292B0: VirtualFree.KERNEL32 ref: 000002287BC2933E
Part of subcall function 000002287BC292B0: VirtualFree.KERNEL32 ref: 000002287BC29368

VirtualFree.KERNEL32 ref: 000002287BC2A3FF
VirtualFree.KERNEL32 ref: 000002287BC2A429
VirtualFree.KERNEL32 ref: 000002287BC2A43A
GetLastError.KERNEL32 ref: 000002287BC2A440
VirtualFree.KERNEL32 ref: 000002287BC2A458
VirtualFree.KERNEL32 ref: 000002287BC2A482

Strings

:, xrefs: 000002287BC2A1F0
192.197.113.45, xrefs: 000002287BC29FF9
Inject Test, xrefs: 000002287BC2A056, 000002287BC2A0B6, 000002287BC2A0CA
@, xrefs: 000002287BC2A312

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$ErrorLast$lstrcatmemset$AllocProcess$CreateMemoryOpenRemoteThreadWritememcpy
String ID: 192.197.113.45$:$@$Inject Test
API String ID: 1625309433-2623251663
Opcode ID: 3bc136f16f1fcb778956d2e6d73309da67f29c20123973dad4795ba6fd3a8330
Instruction ID: e1abbe8d7041455bf3db8f050cba94e007f8c7b102b69d1f4d116a56a97ec526
Opcode Fuzzy Hash: 3bc136f16f1fcb778956d2e6d73309da67f29c20123973dad4795ba6fd3a8330
Instruction Fuzzy Hash: A9F1C426A02FC186F724CF75D8187ED7362FBDAB88F24D215DA4946A55EF38C286C700

Function 000002287BC29B00 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 204stringsleeplibraryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC29B45
memset.NTDLL ref: 000002287BC29B59
VirtualFree.KERNEL32 ref: 000002287BC29B90
VirtualFree.KERNEL32 ref: 000002287BC29BD2
GetModuleHandleW.KERNEL32 ref: 000002287BC29BDF
GetProcAddress.KERNEL32 ref: 000002287BC29BFB
GetProcAddress.KERNEL32 ref: 000002287BC29C0E
GetCurrentProcess.KERNEL32 ref: 000002287BC29C25
OpenProcessToken.ADVAPI32 ref: 000002287BC29C38
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC29C60
AdjustTokenPrivileges.ADVAPI32 ref: 000002287BC29C82
GetLastError.KERNEL32 ref: 000002287BC29C88
CloseHandle.KERNEL32 ref: 000002287BC29C9C
OpenProcess.KERNEL32 ref: 000002287BC29CB0
K32EnumProcessModules.KERNEL32 ref: 000002287BC29CCE
K32GetProcessImageFileNameW.KERNEL32 ref: 000002287BC29CE1
GetLogicalDriveStringsW.KERNEL32 ref: 000002287BC29D03
QueryDosDeviceW.KERNEL32 ref: 000002287BC29D53
lstrlenW.KERNEL32 ref: 000002287BC29D62
wcsncmp.NTDLL ref: 000002287BC29D77
lstrcpyW.KERNEL32 ref: 000002287BC29DAB
TerminateProcess.KERNEL32 ref: 000002287BC29DE1
Sleep.KERNEL32 ref: 000002287BC29DF0
DeleteFileW.KERNEL32 ref: 000002287BC29DFD
lstrcpyW.KERNEL32 ref: 000002287BC29E11
lstrcatW.KERNEL32 ref: 000002287BC29E26
CloseHandle.KERNEL32 ref: 000002287BC29E51
Sleep.KERNEL32 ref: 000002287BC29E5C

Strings

ntdll.dll, xrefs: 000002287BC29BD8
NtSuspendProcess, xrefs: 000002287BC29BF1
SeDebugPrivilege, xrefs: 000002287BC29C4F
NtResumeProcess, xrefs: 000002287BC29C01

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process$Handle$AddressCloseFileFreeOpenProcSleepTokenVirtuallstrcpymemset$AdjustCurrentDeleteDeviceDriveEnumErrorImageLastLogicalLookupModuleModulesNamePrivilegePrivilegesQueryStringsTerminateValuelstrcatlstrlenwcsncmp
String ID: NtResumeProcess$NtSuspendProcess$SeDebugPrivilege$ntdll.dll
API String ID: 335747669-263106891
Opcode ID: 739355a01392140f3596ff1d7456f89cfe2b7b127bffbd39350a94e430bf1ca6
Instruction ID: 44731e86943339de871cf5e79e2302e03073ea64a4d9ede27a8ff1e53529df5c
Opcode Fuzzy Hash: 739355a01392140f3596ff1d7456f89cfe2b7b127bffbd39350a94e430bf1ca6
Instruction Fuzzy Hash: D2A1D939212A81E2FB60CFA1D85C7D9B3A2FBC5B58F54C116DA4A47698DF78C547C700

Function 000002287BC1E6B0 Relevance: 56.3, APIs: 29, Strings: 3, Instructions: 289memorystringfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC1E6EB
GetWindowsDirectoryW.KERNEL32 ref: 000002287BC1E6F9
GetLastError.KERNEL32 ref: 000002287BC1E703
lstrcatW.KERNEL32 ref: 000002287BC1E734
CreateFileW.KERNEL32 ref: 000002287BC1E7A3
GetLastError.KERNEL32 ref: 000002287BC1E7B2
WriteFile.KERNEL32 ref: 000002287BC1E7CF
GetLastError.KERNEL32 ref: 000002287BC1E7D9
CloseHandle.KERNEL32 ref: 000002287BC1E7E7
VirtualAlloc.KERNEL32 ref: 000002287BC1E83D
VirtualAlloc.KERNEL32 ref: 000002287BC1E8F5
lstrlenW.KERNEL32 ref: 000002287BC1E924
lstrlenW.KERNEL32 ref: 000002287BC1E952
VirtualFree.KERNEL32 ref: 000002287BC1E974
VirtualAlloc.KERNEL32 ref: 000002287BC1E9A0
VirtualAlloc.KERNEL32 ref: 000002287BC1E9D5
wsprintfW.USER32 ref: 000002287BC1E9F7
VirtualAlloc.KERNEL32 ref: 000002287BC1EA4F
lstrcatW.KERNEL32 ref: 000002287BC1EA67
PathRemoveFileSpecW.SHLWAPI ref: 000002287BC1EA70
CreateProcessW.KERNEL32 ref: 000002287BC1EAAC
CloseHandle.KERNEL32 ref: 000002287BC1EABC
CloseHandle.KERNEL32 ref: 000002287BC1EAD1
VirtualFree.KERNEL32 ref: 000002287BC1EAE7
VirtualFree.KERNEL32 ref: 000002287BC1EAF8
VirtualFree.KERNEL32 ref: 000002287BC1EB09
VirtualFree.KERNEL32 ref: 000002287BC1EB1A
VirtualFree.KERNEL32 ref: 000002287BC1EB30
VirtualFree.KERNEL32 ref: 000002287BC1EB5A

Strings

rar.exe a "%s" %s -m5, xrefs: 000002287BC1E9EA
\rar.exe, xrefs: 000002287BC1E711
h, xrefs: 000002287BC1EA3E

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$Alloc$CloseErrorFileHandleLast$Createlstrcatlstrlen$DirectoryPathProcessRemoveSpecWindowsWritememsetwsprintf
String ID: \rar.exe$h$rar.exe a "%s" %s -m5
API String ID: 460989278-1571478729
Opcode ID: 69e24446d7ee9e21851fb7b2c18dab1fce21110ab0cee690b2221f971960732f
Instruction ID: 7a5e60ddb8bb3b13c28da189988075017da559eb6cf7b111a20559eca49bd953
Opcode Fuzzy Hash: 69e24446d7ee9e21851fb7b2c18dab1fce21110ab0cee690b2221f971960732f
Instruction Fuzzy Hash: 94D19076312A4197FB24CF62E95C79DA3A2FB89B88F148125CE4A57B58DF38C146CB04

Function 000002287BC2BE50 Relevance: 52.9, APIs: 5, Strings: 25, Instructions: 441stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC2C65E
lstrcatW.KERNEL32 ref: 000002287BC2C689
lstrcatW.KERNEL32 ref: 000002287BC2C6AF
lstrcatW.KERNEL32 ref: 000002287BC2C7BA
lstrcatW.KERNEL32 ref: 000002287BC2C7CA

Strings

U:M:, xrefs: 000002287BC2C296
T:I:, xrefs: 000002287BC2BE92
U:M:, xrefs: 000002287BC2BF47
i:_:, xrefs: 000002287BC2C2A6
::, xrefs: 000002287BC2C081
m:S:, xrefs: 000002287BC2C06F
T:I:, xrefs: 000002287BC2BF4E
Windows XP, xrefs: 000002287BC2C67B
_:H:i:_:U:M:m:S:, xrefs: 000002287BC2BEE5
H:L:, xrefs: 000002287BC2C2AE
m:S:, xrefs: 000002287BC2BF2F
_:H:, xrefs: 000002287BC2C2B6
L:_:, xrefs: 000002287BC2BF63
U:M:, xrefs: 000002287BC2C598
T:^:, xrefs: 000002287BC2C590
:U:M:m:S:, xrefs: 000002287BC2BFFF
:, xrefs: 000002287BC2BEBA
:, xrefs: 000002287BC2C2DD
m:S:, xrefs: 000002287BC2BEA5
N:[:, xrefs: 000002287BC2BEB2
T:^:, xrefs: 000002287BC2BF3F
:, xrefs: 000002287BC2C5D7
_:H:, xrefs: 000002287BC2BF5C
T:^:, xrefs: 000002287BC2C28E
Windows 2003, xrefs: 000002287BC2C6A1

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: lstrcat$memset
String ID: ::$:U:M:m:S:$:$:$:$H:L:$L:_:$N:[:$T:I:$T:I:$T:^:$T:^:$T:^:$U:M:$U:M:$U:M:$Windows 2003$Windows XP$_:H:$_:H:$_:H:i:_:U:M:m:S:$i:_:$m:S:$m:S:$m:S:
API String ID: 2788080104-1869930141
Opcode ID: 81779fb8ec2fb7844face486dbf9875196088208072ce9a1f42b90166b46e7d7
Instruction ID: 6d0cc76d0e804aae92b63c6cad43c0272c64254fc5d5ba97bf64b7c06324eec7
Opcode Fuzzy Hash: 81779fb8ec2fb7844face486dbf9875196088208072ce9a1f42b90166b46e7d7
Instruction Fuzzy Hash: 564249775197C0CAE331CF64A4402DEBBB1F799748F14920AEBD81AA59DB78E285CF01

Function 000002287BC2F920 Relevance: 50.0, APIs: 33, Instructions: 451servicestringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

OpenSCManagerW.ADVAPI32 ref: 000002287BC2F96A
EnumServicesStatusW.ADVAPI32 ref: 000002287BC2F9AC
LocalAlloc.KERNEL32 ref: 000002287BC2F9BD
EnumServicesStatusW.ADVAPI32 ref: 000002287BC2FA16
memset.NTDLL ref: 000002287BC2FA3C
OpenServiceW.ADVAPI32 ref: 000002287BC2FA59
lstrlenW.KERNEL32 ref: 000002287BC2FA70
memcpy.NTDLL ref: 000002287BC2FB15
lstrlenW.KERNEL32 ref: 000002287BC2FB1F
memcpy.NTDLL ref: 000002287BC2FBA2
VirtualAlloc.KERNEL32 ref: 000002287BC2FBB8
QueryServiceConfig2W.ADVAPI32 ref: 000002287BC2FBE7
lstrlenW.KERNEL32 ref: 000002287BC2FBF9
memcpy.NTDLL ref: 000002287BC2FC7F
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FFD0
LocalFree.KERNEL32 ref: 000002287BC2FFD9
VirtualFree.KERNEL32 ref: 000002287BC30085
VirtualFree.KERNEL32 ref: 000002287BC300AF
VirtualFree.KERNEL32 ref: 000002287BC300C5
VirtualFree.KERNEL32 ref: 000002287BC300EF

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$CriticalSection$Free$EnterReadServicelstrlenmemcpy$EnumLeaveLocalOpenServicesStatus$CloseConfig2HandleInitializeManagerQuerymemset
String ID:
API String ID: 1976463032-0
Opcode ID: 7b2f46c046eb0df612dace71feae6b13266046c80c2e61bb4cea95ef20f33a6a
Instruction ID: d8ccae86e541dbbf990de4e15f59c8428891a3cd4b4d300e5fd53d7298f298db
Opcode Fuzzy Hash: 7b2f46c046eb0df612dace71feae6b13266046c80c2e61bb4cea95ef20f33a6a
Instruction Fuzzy Hash: 15328E26A15BC592F711CF69D9587AC7361F7AAB88F24E215CF8913A12EF34E2D5C300

Function 000002287BC59F20 Relevance: 49.4, APIs: 14, Strings: 14, Instructions: 427networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC56510: memcpy.NTDLL(?,?,Unable to connect,000002287BC59F78), ref: 000002287BC56603
Part of subcall function 000002287BC56510: memcpy.NTDLL(?,?,Unable to connect,000002287BC59F78), ref: 000002287BC56621

Part of subcall function 000002287BC5F130: memcpy.NTDLL(?,?,?,?,?,?,?,?,Unable to connect,000002287BC59F83), ref: 000002287BC5F188

freeaddrinfo.WS2_32 ref: 000002287BC59F86
connect.WS2_32 ref: 000002287BC5A087
WSAGetLastError.WS2_32 ref: 000002287BC5A095
WSAGetLastError.WS2_32 ref: 000002287BC5A0E0
strncpy.MSVCRT ref: 000002287BC5A139
htons.WS2_32 ref: 000002287BC5A192
socket.WS2_32 ref: 000002287BC5A209
WSAGetLastError.WS2_32 ref: 000002287BC5A21B
WSAGetLastError.WS2_32 ref: 000002287BC5A266
closesocket.WS2_32 ref: 000002287BC5A543
getsockname.WS2_32 ref: 000002287BC5A60F

Strings

POST, xrefs: 000002287BC59F25
conn fail: %d, xrefs: 000002287BC5A0E6
RAW, xrefs: 000002287BC59F27
conn fail: skt options: errno %d, xrefs: 000002287BC5A26C
conn fail: socket bind, xrefs: 000002287BC5A3AD
waiting for event loop watcher to close, xrefs: 000002287BC5A5BB
conn fail: insert fd, xrefs: 000002287BC5A2FD
GET, xrefs: 000002287BC59F29
conn fail: sock accept, xrefs: 000002287BC5A2CA
lws_free, xrefs: 000002287BC5A177
Unable to connect, xrefs: 000002287BC59F3E, 000002287BC5A3F7, 000002287BC5A4BF, 000002287BC5A4D1, 000002287BC5A519
conn fail: change pollfd, xrefs: 000002287BC5A31A
conn fail: skt creation: errno %d, xrefs: 000002287BC5A221
client_connect3, xrefs: 000002287BC5A58A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ErrorLast$memcpy$closesocketconnectfreeaddrinfogetsocknamehtonssocketstrncpy
String ID: GET$POST$RAW$Unable to connect$client_connect3$conn fail: %d$conn fail: change pollfd$conn fail: insert fd$conn fail: skt creation: errno %d$conn fail: skt options: errno %d$conn fail: sock accept$conn fail: socket bind$lws_free$waiting for event loop watcher to close
API String ID: 3000816023-458479724
Opcode ID: eb5c3f84558ecdbfd18ac383cc6d319a2892e754ee5c4f588fd732f29735face
Instruction ID: 0d34c3422ebadb23b14ad64907670d37bc00406316c7d1262ce4121d1e906120
Opcode Fuzzy Hash: eb5c3f84558ecdbfd18ac383cc6d319a2892e754ee5c4f588fd732f29735face
Instruction Fuzzy Hash: 5312C72A612781A5FB50DFA2D4083EDA7A2FBD4B98F788032EE0957699DF34C547C710

Function 000002287BC188E0 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 274memoryfilestringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC188F8
lstrcatW.KERNEL32 ref: 000002287BC18909
lstrcatW.KERNEL32 ref: 000002287BC1891B
CreateFileW.KERNEL32 ref: 000002287BC18953
GetFileSize.KERNEL32 ref: 000002287BC1897B
VirtualAlloc.KERNEL32 ref: 000002287BC18992
ReadFile.KERNEL32 ref: 000002287BC189BA
VirtualFree.KERNEL32 ref: 000002287BC18AAC
VirtualAlloc.KERNEL32 ref: 000002287BC18B08
VirtualAlloc.KERNEL32 ref: 000002287BC18B70
IsBadReadPtr.KERNEL32 ref: 000002287BC18BBA
EnterCriticalSection.KERNEL32 ref: 000002287BC18BD0
LeaveCriticalSection.KERNEL32 ref: 000002287BC18BF5
IsBadReadPtr.KERNEL32 ref: 000002287BC18C0A
EnterCriticalSection.KERNEL32 ref: 000002287BC18C1D
VirtualAlloc.KERNEL32 ref: 000002287BC18C34
LeaveCriticalSection.KERNEL32 ref: 000002287BC18C58
VirtualFree.KERNEL32 ref: 000002287BC18C9D
VirtualFree.KERNEL32 ref: 000002287BC18CC7
LeaveCriticalSection.KERNEL32 ref: 000002287BC18CDA
IsBadReadPtr.KERNEL32 ref: 000002287BC18CF9
EnterCriticalSection.KERNEL32 ref: 000002287BC18D14
GetLastError.KERNEL32 ref: 000002287BC18D42
CloseHandle.KERNEL32 ref: 000002287BC18D60

Strings

\cp.cfg, xrefs: 000002287BC1890F
@, xrefs: 000002287BC189DB
C:\Program Files\Windows Mail, xrefs: 000002287BC188FD

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$AllocRead$EnterFileFreeLeave$lstrcat$CloseCreateErrorHandleLastSizememset
String ID: @$C:\Program Files\Windows Mail$\cp.cfg
API String ID: 1502650097-1776503346
Opcode ID: f15dfe6790652864035020a4c4ae5e7f25b6424366a9ee693396d80b06e4d85c
Instruction ID: ed19d00cef9855e1282380b8cc32e57eba2220f4572d3fdd13c5225665ca378a
Opcode Fuzzy Hash: f15dfe6790652864035020a4c4ae5e7f25b6424366a9ee693396d80b06e4d85c
Instruction Fuzzy Hash: FBC1D376306B8492FB248F65D65C769A3A2FBC6B84F68C215CE9A13B94DF38C416C701

Function 000002287BC19B50 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 175stringclipboardmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000002287BC19B9A
WideCharToMultiByte.KERNEL32 ref: 000002287BC19BC6
VirtualAlloc.KERNEL32 ref: 000002287BC19BE9
lstrlenW.KERNEL32 ref: 000002287BC19BFE

Part of subcall function 000002287BC2C960: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,000002287BC2101E), ref: 000002287BC2C997
Part of subcall function 000002287BC2C960: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,000002287BC2101E), ref: 000002287BC2C9BF

lstrlenW.KERNEL32 ref: 000002287BC19C7F
WideCharToMultiByte.KERNEL32 ref: 000002287BC19CA8
VirtualAlloc.KERNEL32 ref: 000002287BC19CBD
lstrlenW.KERNEL32 ref: 000002287BC19CD6
WideCharToMultiByte.KERNEL32 ref: 000002287BC19D02
WideCharToMultiByte.KERNEL32 ref: 000002287BC19D29
lstrlenA.KERNEL32 ref: 000002287BC19D32
memcpy.NTDLL ref: 000002287BC19D44
OpenClipboard.USER32 ref: 000002287BC19D4B
EmptyClipboard.USER32 ref: 000002287BC19D55
lstrlenA.KERNEL32 ref: 000002287BC19D5E
GlobalAlloc.KERNEL32 ref: 000002287BC19D6E
GlobalLock.KERNEL32 ref: 000002287BC19D83
lstrlenA.KERNEL32 ref: 000002287BC19D94
memcpy.NTDLL ref: 000002287BC19DA3
GlobalUnlock.KERNEL32 ref: 000002287BC19DAF
SetClipboardData.USER32 ref: 000002287BC19DBD
CloseClipboard.USER32 ref: 000002287BC19DC3
VirtualFree.KERNEL32 ref: 000002287BC19DD4
VirtualFree.KERNEL32 ref: 000002287BC19DE5

Strings

!, xrefs: 000002287BC19C36

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: lstrlen$ByteCharMultiWide$ClipboardVirtual$AllocGlobal$Freememcpy$CloseDataEmptyLockOpenUnlock
String ID: !
API String ID: 17242508-2657877971
Opcode ID: 20bafc32ef5a585f558690f26a764bf30522b84af687a9e6b7f5ff9df58e1b49
Instruction ID: f4709e106b51c48890fe957b740aa21b4b443e4ff52daec8168139da72ffb674
Opcode Fuzzy Hash: 20bafc32ef5a585f558690f26a764bf30522b84af687a9e6b7f5ff9df58e1b49
Instruction Fuzzy Hash: 45717E79202B4092FB14DFA6A99C759B2A3FBC9B85F548025D98B67B64DF3CC1478700

Function 000002287BC1E370 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 199stringfilesleepCOMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 000002287BC1E39C
memset.NTDLL ref: 000002287BC1E3C4
memset.NTDLL ref: 000002287BC1E3D8
lstrcatW.KERNEL32 ref: 000002287BC1E3E7
lstrcatW.KERNEL32 ref: 000002287BC1E3FB
FindFirstFileW.KERNEL32 ref: 000002287BC1E446
FindNextFileW.KERNEL32 ref: 000002287BC1E465
memset.NTDLL ref: 000002287BC1E4B2
lstrcatW.KERNEL32 ref: 000002287BC1E4C1
lstrcatW.KERNEL32 ref: 000002287BC1E4D2
lstrcatW.KERNEL32 ref: 000002287BC1E4E6
Sleep.KERNEL32 ref: 000002287BC1E4F1
lstrlenW.KERNEL32 ref: 000002287BC1E4FE
wcsstr.NTDLL ref: 000002287BC1E530
GetCurrentThread.KERNEL32 ref: 000002287BC1E57F
IsBadReadPtr.KERNEL32 ref: 000002287BC1E590
EnterCriticalSection.KERNEL32 ref: 000002287BC1E5A3
LeaveCriticalSection.KERNEL32 ref: 000002287BC1E5C4
FindNextFileW.KERNEL32 ref: 000002287BC1E60E
LeaveCriticalSection.KERNEL32 ref: 000002287BC1E622
WaitForSingleObject.KERNEL32 ref: 000002287BC1E635
VirtualFree.KERNEL32 ref: 000002287BC1E64F
VirtualFree.KERNEL32 ref: 000002287BC1E67F

Strings

*.*, xrefs: 000002287BC1E3ED

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: lstrcat$CriticalFileFindSectionmemset$FreeLeaveNextVirtual$CurrentEnterFirstObjectReadSingleSleepThreadWait__chkstklstrlenwcsstr
String ID: *.*
API String ID: 491004167-438819550
Opcode ID: 41c60606cf71299194d094ffcb0d79d7accedc4f2f3c97aeda98fc52c43179c5
Instruction ID: 25d9e086a9a697236c39c287d57821dce9ed6262cc1de167ff272fd7fc1a2654
Opcode Fuzzy Hash: 41c60606cf71299194d094ffcb0d79d7accedc4f2f3c97aeda98fc52c43179c5
Instruction Fuzzy Hash: 5A91967A302B45E7FB20DFA2D94C799A3A2F7C9B84F548016DE4987A58EF38C556C700

Function 000002287BC18390 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 320memoryfilestringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC184ED
lstrcatW.KERNEL32 ref: 000002287BC18501
lstrcatW.KERNEL32 ref: 000002287BC18516
CreateFileW.KERNEL32 ref: 000002287BC1854D
SetFilePointer.KERNEL32 ref: 000002287BC18569
WriteFile.KERNEL32 ref: 000002287BC18587
CloseHandle.KERNEL32 ref: 000002287BC18590
VirtualAlloc.KERNEL32 ref: 000002287BC1869B
VirtualAlloc.KERNEL32 ref: 000002287BC18703
IsBadReadPtr.KERNEL32 ref: 000002287BC1874D
EnterCriticalSection.KERNEL32 ref: 000002287BC18763
LeaveCriticalSection.KERNEL32 ref: 000002287BC18786
IsBadReadPtr.KERNEL32 ref: 000002287BC1879B
EnterCriticalSection.KERNEL32 ref: 000002287BC187AE
VirtualAlloc.KERNEL32 ref: 000002287BC187C5
LeaveCriticalSection.KERNEL32 ref: 000002287BC187E9
VirtualFree.KERNEL32 ref: 000002287BC187FF
VirtualFree.KERNEL32 ref: 000002287BC18829
LeaveCriticalSection.KERNEL32 ref: 000002287BC18865
IsBadReadPtr.KERNEL32 ref: 000002287BC18884
EnterCriticalSection.KERNEL32 ref: 000002287BC1889F

Strings

\cp.cfg, xrefs: 000002287BC18507
C:\Program Files\Windows Mail, xrefs: 000002287BC184F2

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$AllocEnterFileLeaveRead$Freelstrcat$CloseCreateHandlePointerWritememset
String ID: C:\Program Files\Windows Mail$\cp.cfg
API String ID: 1370748441-3904790782
Opcode ID: bca81e2efae6b1571e8d57f22e6010d2909c7d5f413c38ae0f0f4c8813eca49a
Instruction ID: d4c3318b7e12967d9026c6faeae0fe8b3db084a001ec00fab05ce9d69499c4e1
Opcode Fuzzy Hash: bca81e2efae6b1571e8d57f22e6010d2909c7d5f413c38ae0f0f4c8813eca49a
Instruction Fuzzy Hash: CFE1F67A716B8492FB148F65E64C76DA3A2FBC6B84F64C216DE8913B54EF38C146C700

Function 000002287BC265C0 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 173filestringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC2660F
VirtualFree.KERNEL32 ref: 000002287BC26639
memset.NTDLL ref: 000002287BC26677
lstrcatW.KERNEL32 ref: 000002287BC2668B
CreateFileW.KERNEL32 ref: 000002287BC266C5
htons.WS2_32 ref: 000002287BC266F8
memset.NTDLL ref: 000002287BC26726
GetWindowsDirectoryW.KERNEL32 ref: 000002287BC26738
GetLastError.KERNEL32 ref: 000002287BC26742
lstrcatW.KERNEL32 ref: 000002287BC26757
CreateFileW.KERNEL32 ref: 000002287BC2679D
GetLastError.KERNEL32 ref: 000002287BC267AC
WriteFile.KERNEL32 ref: 000002287BC267CA
GetLastError.KERNEL32 ref: 000002287BC267D4
CloseHandle.KERNEL32 ref: 000002287BC267E2
htons.WS2_32 ref: 000002287BC26803
VirtualFree.KERNEL32 ref: 000002287BC2682C
VirtualFree.KERNEL32 ref: 000002287BC26842
VirtualFree.KERNEL32 ref: 000002287BC2686C

Strings

tpdrivers, xrefs: 000002287BC2667C
\\.\{F8284233-48F4-4680-ADDD-F8284233}, xrefs: 000002287BC266A4
\system32\drivers\tpdrivers.sys, xrefs: 000002287BC26748
192.197.113.45, xrefs: 000002287BC267E8

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$AllocFree$EnterErrorFileLastRead$CreateLeavehtonslstrcatmemset$CloseDirectoryHandleInitializeWindowsWrite
String ID: 192.197.113.45$\\.\{F8284233-48F4-4680-ADDD-F8284233}$\system32\drivers\tpdrivers.sys$tpdrivers
API String ID: 3655753775-3639078956
Opcode ID: 919cc55b61c48cfdaf4edc72b84664017df8a73146a8bb9e500be7668f24e105
Instruction ID: c3c4be10254eebed1e2063b0d99f2a3b9a68946fb01de8cecbfded50b867ac76
Opcode Fuzzy Hash: 919cc55b61c48cfdaf4edc72b84664017df8a73146a8bb9e500be7668f24e105
Instruction Fuzzy Hash: C871A829716A40A2FB64DFA2F55C79AF3A2FBC9B44F14C125DA8A43A94DF3CC0568710

Function 000002287BC192F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 195sleepmemorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC19340
VirtualFree.KERNEL32 ref: 000002287BC1936A
memset.NTDLL ref: 000002287BC193B6
VirtualFree.KERNEL32 ref: 000002287BC193EA
VirtualFree.KERNEL32 ref: 000002287BC19414
malloc.MSVCRT ref: 000002287BC1941F
wsprintfA.USER32 ref: 000002287BC19445
CreateMutexA.KERNEL32 ref: 000002287BC19452
GetLastError.KERNEL32 ref: 000002287BC1945D
free.MSVCRT ref: 000002287BC1946D
lstrcatW.KERNEL32 ref: 000002287BC19487
VirtualAlloc.KERNEL32 ref: 000002287BC1952A
memcpy.NTDLL ref: 000002287BC19554
memcpy.NTDLL ref: 000002287BC1956E
Sleep.KERNEL32 ref: 000002287BC19578
GetCurrentProcessId.KERNEL32 ref: 000002287BC19586
VirtualFree.KERNEL32 ref: 000002287BC195BA
VirtualFree.KERNEL32 ref: 000002287BC195D5
VirtualFree.KERNEL32 ref: 000002287BC195FF

Strings

%s%d, xrefs: 000002287BC1943B
Inject Test, xrefs: 000002287BC19478
:, xrefs: 000002287BC19500

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$AllocCriticalSection$EnterRead$Leavememcpy$CreateCurrentErrorInitializeLastMutexProcessSleepfreelstrcatmallocmemsetwsprintf
String ID: %s%d$:$Inject Test
API String ID: 3230380526-1060902658
Opcode ID: c5765972512c8ed66fda6ab9132c5441f00b95d89a35d61cc81ef2c02852fef9
Instruction ID: 513b02a003ba55705f2578a5c3576956dc9109f8e77706b96e9b5cb532337257
Opcode Fuzzy Hash: c5765972512c8ed66fda6ab9132c5441f00b95d89a35d61cc81ef2c02852fef9
Instruction Fuzzy Hash: E5919379706B4592FB14DFA6E458769A3A2FBCAF84F68C225898A53B54DF3CC046C700

Function 000002287BC1A020 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 152stringmemorythreadCOMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 000002287BC1A032
MultiByteToWideChar.KERNEL32 ref: 000002287BC1A26E
MultiByteToWideChar.KERNEL32 ref: 000002287BC1A28E
lstrlenW.KERNEL32 ref: 000002287BC1A297

Part of subcall function 000002287BC1A2F0: WriteFile.KERNEL32 ref: 000002287BC1A51A
Part of subcall function 000002287BC1A2F0: VirtualFree.KERNEL32 ref: 000002287BC1A52B
Part of subcall function 000002287BC1A2F0: SetFileAttributesW.KERNEL32 ref: 000002287BC1A53B
Part of subcall function 000002287BC1A2F0: CloseHandle.KERNEL32 ref: 000002287BC1A549

lstrlenW.KERNEL32 ref: 000002287BC1A04B

Part of subcall function 000002287BC1A2F0: GetTickCount.KERNEL32 ref: 000002287BC1A30B
Part of subcall function 000002287BC1A2F0: memset.NTDLL ref: 000002287BC1A324
Part of subcall function 000002287BC1A2F0: lstrcatW.KERNEL32 ref: 000002287BC1A335
Part of subcall function 000002287BC1A2F0: lstrcatW.KERNEL32 ref: 000002287BC1A347
Part of subcall function 000002287BC1A2F0: CreateFileW.KERNEL32 ref: 000002287BC1A37E
Part of subcall function 000002287BC1A2F0: CreateFileW.KERNEL32 ref: 000002287BC1A3B3
Part of subcall function 000002287BC1A2F0: SetFilePointer.KERNEL32 ref: 000002287BC1A3C8
Part of subcall function 000002287BC1A2F0: WriteFile.KERNEL32 ref: 000002287BC1A3F7
Part of subcall function 000002287BC1A2F0: SetFileAttributesW.KERNEL32 ref: 000002287BC1A406
Part of subcall function 000002287BC1A2F0: SetFilePointer.KERNEL32 ref: 000002287BC1A41A
Part of subcall function 000002287BC1A2F0: VirtualAlloc.KERNEL32 ref: 000002287BC1A42F

memset.NTDLL ref: 000002287BC1A073
memset.NTDLL ref: 000002287BC1A093
GetForegroundWindow.USER32 ref: 000002287BC1A098
GetWindowTextW.USER32 ref: 000002287BC1A0B3
GetWindowThreadProcessId.USER32 ref: 000002287BC1A0C7
ProcessIdToSessionId.KERNEL32 ref: 000002287BC1A0F0
memset.NTDLL ref: 000002287BC1A105
lstrlenW.KERNEL32 ref: 000002287BC1A123
GetLocalTime.KERNEL32 ref: 000002287BC1A136
wsprintfW.USER32 ref: 000002287BC1A19E
lstrlenW.KERNEL32 ref: 000002287BC1A1AB
lstrlenA.KERNEL32 ref: 000002287BC1A1F1
MultiByteToWideChar.KERNEL32 ref: 000002287BC1A20A
VirtualAlloc.KERNEL32 ref: 000002287BC1A236
lstrlenA.KERNEL32 ref: 000002287BC1A253

Strings

[Keyboard recording content:], xrefs: 000002287BC1A044, 000002287BC1A051
[PROCESS:]%s[USERID:]%d[TITLE:]%s[TIME:]%d-%d-%d %d:%d:%d, xrefs: 000002287BC1A175

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: File$lstrlen$memset$ByteCharMultiVirtualWideWindow$AllocAttributesCreatePointerProcessWritelstrcat$CloseCountForegroundFreeHandleLocalSessionTextThreadTickTime__chkstkwsprintf
String ID: [Keyboard recording content:]$[PROCESS:]%s[USERID:]%d[TITLE:]%s[TIME:]%d-%d-%d %d:%d:%d
API String ID: 599969897-1868071797
Opcode ID: fc949c9e7c180c8da36c131bbee31611ea2d52e97aebed103c6a9c4030655ac8
Instruction ID: c1b7b987851b747bce4650885f397562c9aec96c11c7fd24822d66a5dd7b61a5
Opcode Fuzzy Hash: fc949c9e7c180c8da36c131bbee31611ea2d52e97aebed103c6a9c4030655ac8
Instruction Fuzzy Hash: CB71C639205684E6F720CFA5E8487E9B3A2F7C9B85F548026E94E47A64DF3CC147CB40

Function 000002287BC2B360 Relevance: 37.9, APIs: 25, Instructions: 372registryCOMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 000002287BC2B378
memset.NTDLL ref: 000002287BC2B39D
memset.NTDLL ref: 000002287BC2B3B1

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC2B446
VirtualFree.KERNEL32 ref: 000002287BC2B470
RegOpenKeyExW.ADVAPI32 ref: 000002287BC2B4AA
VirtualFree.KERNEL32 ref: 000002287BC2B4EC
VirtualFree.KERNEL32 ref: 000002287BC2B516
memset.NTDLL ref: 000002287BC2B52D
RegEnumKeyExW.ADVAPI32 ref: 000002287BC2B562
memset.NTDLL ref: 000002287BC2B5B8
RegEnumKeyExW.ADVAPI32 ref: 000002287BC2B5ED
memset.NTDLL ref: 000002287BC2B616
memset.NTDLL ref: 000002287BC2B62A
RegEnumValueW.ADVAPI32 ref: 000002287BC2B685
memset.NTDLL ref: 000002287BC2B726
memset.NTDLL ref: 000002287BC2B73A
RegEnumValueW.ADVAPI32 ref: 000002287BC2B795
RegCloseKey.ADVAPI32 ref: 000002287BC2B7A8
VirtualFree.KERNEL32 ref: 000002287BC2B8A5
VirtualFree.KERNEL32 ref: 000002287BC2B8CF
VirtualFree.KERNEL32 ref: 000002287BC2B8E5
VirtualFree.KERNEL32 ref: 000002287BC2B90F
VirtualFree.KERNEL32 ref: 000002287BC2B925
VirtualFree.KERNEL32 ref: 000002287BC2B94F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$memset$CriticalSection$Alloc$Enum$EnterRead$LeaveValue$CloseInitializeOpen__chkstk
String ID:
API String ID: 2734444383-0
Opcode ID: c0c9833c2f1ec5aa2b8413b7e82f312a022f5a55e2d428ebe758d45864ea3803
Instruction ID: 2aeaa99a79275a61b9a21616042cae7ff3a801f5fefe1f193a7091964369147c
Opcode Fuzzy Hash: c0c9833c2f1ec5aa2b8413b7e82f312a022f5a55e2d428ebe758d45864ea3803
Instruction Fuzzy Hash: 03F17D36301B8196EB74CFA2D998B9EB3A1FB89B85F508015DF5A47B58DF38C156CB00

Function 000002287BC35030 Relevance: 37.7, APIs: 25, Instructions: 205memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC35047
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC35086
memset.NTDLL ref: 000002287BC350A5
CreateEventW.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC350BC
CreateEventW.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC350D1
InitializeCriticalSection.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC350E3
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC351D5
InitializeCriticalSection.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC351E7
InitializeCriticalSection.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC351FC
IsBadReadPtr.KERNEL32 ref: 000002287BC3520E
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC35221
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC35238
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC35267
IsBadReadPtr.KERNEL32 ref: 000002287BC35279
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC3528C
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC352A3
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC352D2
IsBadReadPtr.KERNEL32 ref: 000002287BC352E4
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC352F7
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC3530E
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC3533D
IsBadReadPtr.KERNEL32 ref: 000002287BC3534F
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC35362
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC35379
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC14C0C), ref: 000002287BC353A8

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$AllocVirtual$EnterLeaveRead$Initialize$CreateEvent$memset
String ID:
API String ID: 1099351009-0
Opcode ID: d76a2c5b0969588b41ef461a21c153d8670cb52fb012b22ca1de8b5fbc59f176
Instruction ID: 1236f22a79dd406d17f0f8b0f1f98dcf24069f8c781b72fcd2b1205804109de4
Opcode Fuzzy Hash: d76a2c5b0969588b41ef461a21c153d8670cb52fb012b22ca1de8b5fbc59f176
Instruction Fuzzy Hash: EAB16F39202F40E2FB458F61EA48799B7A6F785B84FA0C126CB5D43760EF38D566D341

Function 000002287BC308A0 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 186pipeprocessstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC308F2
CreatePipe.KERNEL32 ref: 000002287BC3091A
CloseHandle.KERNEL32 ref: 000002287BC3092C
CloseHandle.KERNEL32 ref: 000002287BC3093E
VirtualFree.KERNEL32 ref: 000002287BC30958
VirtualFree.KERNEL32 ref: 000002287BC30982
CreatePipe.KERNEL32 ref: 000002287BC309A3
CloseHandle.KERNEL32 ref: 000002287BC309B6
CloseHandle.KERNEL32 ref: 000002287BC309CD
GetStartupInfoW.KERNEL32 ref: 000002287BC30A0B
lstrcatW.KERNEL32 ref: 000002287BC30A47
VirtualFree.KERNEL32 ref: 000002287BC30A5D
VirtualFree.KERNEL32 ref: 000002287BC30A87
CreateProcessW.KERNEL32 ref: 000002287BC30AC6
CloseHandle.KERNEL32 ref: 000002287BC30AD8
CloseHandle.KERNEL32 ref: 000002287BC30AEA
CloseHandle.KERNEL32 ref: 000002287BC30AFD
CloseHandle.KERNEL32 ref: 000002287BC30B14
CreateThread.KERNEL32 ref: 000002287BC30B50

Strings

, xrefs: 000002287BC30AB6

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CloseHandle$CreateFreeVirtual$Pipe$InfoProcessStartupThreadlstrcatmemset
String ID:
API String ID: 3234776578-3916222277
Opcode ID: 748075d32db5a7721aa9856b90801b439f4802cfd92a9538f61b3ddd284796bc
Instruction ID: 8d5007b9bc7667cd61e9472fa1d9c7ac7e63eb25d0f96127bfad9b8ec7f0059a
Opcode Fuzzy Hash: 748075d32db5a7721aa9856b90801b439f4802cfd92a9538f61b3ddd284796bc
Instruction Fuzzy Hash: 63915F3A602B40E6FB54CFA2F95875EB3B5FB88B48F148116DE8943A14DF38C1A5D744

Function 000002287BC1F120 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 179fileprocessmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC1F14D
GetWindowsDirectoryW.KERNEL32 ref: 000002287BC1F15A
GetLastError.KERNEL32 ref: 000002287BC1F164
lstrcatW.KERNEL32 ref: 000002287BC1F17D
CreateFileW.KERNEL32 ref: 000002287BC1F1FC
GetLastError.KERNEL32 ref: 000002287BC1F20B
WriteFile.KERNEL32 ref: 000002287BC1F228
GetLastError.KERNEL32 ref: 000002287BC1F232
CloseHandle.KERNEL32 ref: 000002287BC1F240
memset.NTDLL ref: 000002287BC1F268
memset.NTDLL ref: 000002287BC1F2D8
VirtualAlloc.KERNEL32 ref: 000002287BC1F33F
wsprintfW.USER32 ref: 000002287BC1F369
CreateProcessW.KERNEL32 ref: 000002287BC1F3E5
CloseHandle.KERNEL32 ref: 000002287BC1F3F5
CloseHandle.KERNEL32 ref: 000002287BC1F40A
VirtualFree.KERNEL32 ref: 000002287BC1F420

Strings

\rar.exe, xrefs: 000002287BC1F16A
h, xrefs: 000002287BC1F3D4
rar.exe x "%s" "%s", xrefs: 000002287BC1F362

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CloseErrorHandleLastmemset$CreateFileVirtual$AllocDirectoryFreeProcessWindowsWritelstrcatwsprintf
String ID: \rar.exe$h$rar.exe x "%s" "%s"
API String ID: 2158214755-1420003661
Opcode ID: 5e9b4a59aed4b4de70113cb02e0e9ef7dc6a8c2b10892aa3f7f01b5f90f20a3d
Instruction ID: 02d220da5f399ac2f42ca45570059ce108483b820b9e23e2c616251720d1d115
Opcode Fuzzy Hash: 5e9b4a59aed4b4de70113cb02e0e9ef7dc6a8c2b10892aa3f7f01b5f90f20a3d
Instruction Fuzzy Hash: 7781BF76615B8197FB20CFB1E84879DB3A2F7C9B88F509225CE4A57A58DF39C145CB00

Function 000002287BC170C0 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 174memoryprocessstringCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

Part of subcall function 000002287BC16DD0: memcpy.NTDLL ref: 000002287BC16DEE
Part of subcall function 000002287BC16DD0: memset.NTDLL ref: 000002287BC16E00
Part of subcall function 000002287BC16DD0: lstrcatA.KERNEL32 ref: 000002287BC16E20
Part of subcall function 000002287BC16DD0: lstrcatW.KERNEL32 ref: 000002287BC16E54

GetCurrentProcessId.KERNEL32 ref: 000002287BC1713B
ProcessIdToSessionId.KERNEL32 ref: 000002287BC1714B
CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC17174
GetProcessHeap.KERNEL32 ref: 000002287BC17183
HeapAlloc.KERNEL32 ref: 000002287BC17196
CloseHandle.KERNEL32 ref: 000002287BC171A7
WTSGetActiveConsoleSessionId.KERNEL32 ref: 000002287BC171B6
Process32FirstW.KERNEL32 ref: 000002287BC171E4
lstrcmpiW.KERNEL32 ref: 000002287BC1720B
Process32NextW.KERNEL32 ref: 000002287BC1721B
GetProcessHeap.KERNEL32 ref: 000002287BC17233
HeapFree.KERNEL32 ref: 000002287BC17241
CloseHandle.KERNEL32 ref: 000002287BC1724A
ProcessIdToSessionId.KERNEL32 ref: 000002287BC17264
CreateThread.KERNEL32 ref: 000002287BC17287
VirtualFree.KERNEL32 ref: 000002287BC17316
VirtualFree.KERNEL32 ref: 000002287BC17340
VirtualFree.KERNEL32 ref: 000002287BC1735B
VirtualFree.KERNEL32 ref: 000002287BC17385

Strings

explorer.exe, xrefs: 000002287BC17204

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$FreeProcess$Heap$EnterReadSession$CloseCreateHandleLeaveProcess32lstrcat$ActiveConsoleCurrentFirstInitializeNextSnapshotThreadToolhelp32lstrcmpimemcpymemset
String ID: explorer.exe
API String ID: 1072794995-3187896405
Opcode ID: 98c28f7a3e6853c6c1b60e024fe1d0a7cb6813ed080a4efa262067ae284fd3cd
Instruction ID: 6d0862245cdbe1926f940b24b7e7c2f203f2d18f6d87b28df572f4fed05228ce
Opcode Fuzzy Hash: 98c28f7a3e6853c6c1b60e024fe1d0a7cb6813ed080a4efa262067ae284fd3cd
Instruction Fuzzy Hash: 2971B0A9306B80E2FB649FA2E94C769A3A2FBC5F84F64C116DE4653B54DF38C4568700

Function 000002287BC2CF00 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 109stringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000002287BC2CF2E
OpenProcessToken.ADVAPI32 ref: 000002287BC2CF41
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC2CF69
AdjustTokenPrivileges.ADVAPI32 ref: 000002287BC2CF8B
GetLastError.KERNEL32 ref: 000002287BC2CF91
CloseHandle.KERNEL32 ref: 000002287BC2CFA7
GetCurrentProcess.KERNEL32 ref: 000002287BC2CFBD
OpenProcessToken.ADVAPI32 ref: 000002287BC2CFD2
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC2CFFA
AdjustTokenPrivileges.ADVAPI32 ref: 000002287BC2D01E
GetLastError.KERNEL32 ref: 000002287BC2D024
CloseHandle.KERNEL32 ref: 000002287BC2D03A
memset.NTDLL ref: 000002287BC2D052
OpenProcess.KERNEL32 ref: 000002287BC2D061
K32EnumProcessModules.KERNEL32 ref: 000002287BC2D08B
K32GetProcessImageFileNameW.KERNEL32 ref: 000002287BC2D09F
lstrcpyW.KERNEL32 ref: 000002287BC2D0B3
CloseHandle.KERNEL32 ref: 000002287BC2D0D0

Strings

SeTcbPrivilege, xrefs: 000002287BC2CFE9
SeDebugPrivilege, xrefs: 000002287BC2CF58

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process$Token$CloseHandleOpen$AdjustCurrentErrorLastLookupPrivilegePrivilegesValue$EnumFileImageModulesNamelstrcpymemset
String ID: SeDebugPrivilege$SeTcbPrivilege
API String ID: 4244359295-3171858176
Opcode ID: 51d2edd5c60738ffa5d0fdb0cca7e17e9b36116d7ade6d5bc03d967e336e03f1
Instruction ID: c97523f441dda109c5f9e3632b66334e4d9413fbcbedc7ad87e6d790c77ddb09
Opcode Fuzzy Hash: 51d2edd5c60738ffa5d0fdb0cca7e17e9b36116d7ade6d5bc03d967e336e03f1
Instruction Fuzzy Hash: D751933A216A4091F7608FA1E80C7D9A3A2F7C5B64F50D216D95947AD4DF7CC14BCB40

Function 000002287BC476C0 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 274networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 000002287BC477FD
setsockopt.WS2_32 ref: 000002287BC4783F
setsockopt.WS2_32 ref: 000002287BC4785C
setsockopt.WS2_32 ref: 000002287BC479A3
WSAGetLastError.WS2_32 ref: 000002287BC479AD
listen.WS2_32 ref: 000002287BC479BF
closesocket.WS2_32 ref: 000002287BC47A2E
WSAGetLastError.WS2_32 ref: 000002287BC47B01
closesocket.WS2_32 ref: 000002287BC47B30
closesocket.WS2_32 ref: 000002287BC47B58

Strings

ERROR opening socket, xrefs: 000002287BC47B65
listen failed with error %d, xrefs: 000002287BC47B07
lws_create_vhost, xrefs: 000002287BC476C8
listen|%s|%s|%d, xrefs: 000002287BC47A12
Out of mem, xrefs: 000002287BC47B3D
reuseaddr failed, xrefs: 000002287BC47B46
_lws_vhost_init_server_af, xrefs: 000002287BC47A5E, 000002287BC47AB6
%s: VH %s: iface %s port %d NOT USABLE, xrefs: 000002287BC47ABD
%s: VH %s: iface %s port %d DOESN'T EXIST, xrefs: 000002287BC47A65

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: closesocketsetsockopt$ErrorLast$listensocket
String ID: %s: VH %s: iface %s port %d DOESN'T EXIST$%s: VH %s: iface %s port %d NOT USABLE$ERROR opening socket$Out of mem$_lws_vhost_init_server_af$listen failed with error %d$listen|%s|%s|%d$lws_create_vhost$reuseaddr failed
API String ID: 3630065070-1684632830
Opcode ID: 56d6c0d6c2e486f488bfdeb426c9946559a07e7a810c0e6f636a7120c48fabe0
Instruction ID: 81338442a65d56115b56c73635f76b7322deeed03a9db5b8df63a8b432d373b3
Opcode Fuzzy Hash: 56d6c0d6c2e486f488bfdeb426c9946559a07e7a810c0e6f636a7120c48fabe0
Instruction Fuzzy Hash: F9D1D33A202A84A2FB54CF55D44D79DB7A2F788BA8F64C222DE2D477A4DF34C256C740

Function 000002287BC23C50 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 197stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 000002287BC23CA2
malloc.MSVCRT ref: 000002287BC23CBE
free.MSVCRT ref: 000002287BC23CCF
memset.NTDLL ref: 000002287BC23D07
GetCursorInfo.USER32 ref: 000002287BC23D24
GetCursorPos.USER32 ref: 000002287BC23D2E
GetForegroundWindow.USER32 ref: 000002287BC23D3C
GetWindowTextW.USER32 ref: 000002287BC23D53
GetTickCount.KERNEL32 ref: 000002287BC23D7E
GetTickCount.KERNEL32 ref: 000002287BC23D8A
wsprintfW.USER32 ref: 000002287BC23DCF
lstrlenW.KERNEL32 ref: 000002287BC23DD8

Strings

%s|%d, xrefs: 000002287BC23DB8

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CountCursorTickWindowmalloc$ForegroundInfoTextfreelstrlenmemsetwsprintf
String ID: %s|%d
API String ID: 14445030-1229896841
Opcode ID: dcdcf8374226a3ccfbb2827651b01a1de8bcf6c732bb97cedd53e70132965785
Instruction ID: b857e945eca498e6863e31e5857123f8a30540fc6d254d1abfba180304af5968
Opcode Fuzzy Hash: dcdcf8374226a3ccfbb2827651b01a1de8bcf6c732bb97cedd53e70132965785
Instruction Fuzzy Hash: AB818339712B419AFB54DFA6E94C79873A2FBC9B98F148125DE4A47B54DF38C086C700

Function 000002287BC26450 Relevance: 33.3, APIs: 15, Strings: 4, Instructions: 76servicestringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC26469
lstrcatW.KERNEL32 ref: 000002287BC2647D
memset.NTDLL ref: 000002287BC26490
GetWindowsDirectoryW.KERNEL32 ref: 000002287BC2649F
GetLastError.KERNEL32 ref: 000002287BC264A9
lstrcatW.KERNEL32 ref: 000002287BC264BB
OpenSCManagerW.ADVAPI32 ref: 000002287BC264CB
GetLastError.KERNEL32 ref: 000002287BC264D9
CreateServiceW.ADVAPI32 ref: 000002287BC26550
GetLastError.KERNEL32 ref: 000002287BC2655E
CloseServiceHandle.ADVAPI32 ref: 000002287BC26567
GetLastError.KERNEL32 ref: 000002287BC2656D
StartServiceW.ADVAPI32 ref: 000002287BC2658C
CloseServiceHandle.ADVAPI32 ref: 000002287BC26595
CloseServiceHandle.ADVAPI32 ref: 000002287BC2659E

Strings

tpdrivers, xrefs: 000002287BC2646E
\system32\drivers\tpdrivers.sys, xrefs: 000002287BC264AF
FSFilter Activity Monitor, xrefs: 000002287BC2651D
FltMgr, xrefs: 000002287BC264F7

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandle$lstrcatmemset$CreateDirectoryManagerOpenStartWindows
String ID: FSFilter Activity Monitor$FltMgr$\system32\drivers\tpdrivers.sys$tpdrivers
API String ID: 4233479461-606275738
Opcode ID: 7b857e422064ef3de2e2687e52ee3d06e09fa56a0c6970dce3fe4e98a62ea91b
Instruction ID: a2fb261e8394744596e161dc0f7aaa01c51039a46b185a6cba371e9cb9fcecb1
Opcode Fuzzy Hash: 7b857e422064ef3de2e2687e52ee3d06e09fa56a0c6970dce3fe4e98a62ea91b
Instruction Fuzzy Hash: 83316179616B40E2FB108F95F55C79AB3A2FBC9754F648026DA8943B64EF3CC14ACB04

Function 000002287BC2FCED Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 233stringservicememoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 000002287BC2FD02
VirtualAlloc.KERNEL32 ref: 000002287BC2FD3F
QueryServiceConfigW.ADVAPI32 ref: 000002287BC2FD64
lstrcpyW.KERNEL32 ref: 000002287BC2FDD6
lstrlenW.KERNEL32 ref: 000002287BC2FE05
memcpy.NTDLL ref: 000002287BC2FEA5
lstrlenW.KERNEL32 ref: 000002287BC2FEC5
memcpy.NTDLL ref: 000002287BC2FEDD
lstrlenW.KERNEL32 ref: 000002287BC2FEE6
memcpy.NTDLL ref: 000002287BC2FF6E
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FF76
VirtualFree.KERNEL32 ref: 000002287BC2FF98
VirtualFree.KERNEL32 ref: 000002287BC2FFA9
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FFD0
LocalFree.KERNEL32 ref: 000002287BC2FFD9
VirtualFree.KERNEL32 ref: 000002287BC30085
VirtualFree.KERNEL32 ref: 000002287BC300AF
VirtualFree.KERNEL32 ref: 000002287BC300C5
VirtualFree.KERNEL32 ref: 000002287BC300EF

Strings

\Pbk, xrefs: 000002287BC2FCED

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtual$Servicelstrlenmemcpy$CloseHandlelstrcpy$AllocConfigLocalQuery
String ID: \Pbk
API String ID: 4179252731-1099493443
Opcode ID: b77d51fa12385468c5ee568c32fb12288e0777874571c5e8db0c05f26f135837
Instruction ID: 1ddc5b0b8724d7176b00469a44f845a54d3e8ca9458bedd22b34d3466633e45c
Opcode Fuzzy Hash: b77d51fa12385468c5ee568c32fb12288e0777874571c5e8db0c05f26f135837
Instruction Fuzzy Hash: CFC1BE26A15B8592F711CF79D5187AC6361FBDAB88F24E215CF4913A12EF35E1E6C300

Function 000002287BC2FCB7 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 233stringservicememoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 000002287BC2FD02
VirtualAlloc.KERNEL32 ref: 000002287BC2FD3F
QueryServiceConfigW.ADVAPI32 ref: 000002287BC2FD64
lstrcpyW.KERNEL32 ref: 000002287BC2FDD6
lstrlenW.KERNEL32 ref: 000002287BC2FE05
memcpy.NTDLL ref: 000002287BC2FEA5
lstrlenW.KERNEL32 ref: 000002287BC2FEC5
memcpy.NTDLL ref: 000002287BC2FEDD
lstrlenW.KERNEL32 ref: 000002287BC2FEE6
memcpy.NTDLL ref: 000002287BC2FF6E
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FF76
VirtualFree.KERNEL32 ref: 000002287BC2FF98
VirtualFree.KERNEL32 ref: 000002287BC2FFA9
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FFD0
LocalFree.KERNEL32 ref: 000002287BC2FFD9
VirtualFree.KERNEL32 ref: 000002287BC30085
VirtualFree.KERNEL32 ref: 000002287BC300AF
VirtualFree.KERNEL32 ref: 000002287BC300C5
VirtualFree.KERNEL32 ref: 000002287BC300EF

Strings

~~, xrefs: 000002287BC2FCB7

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtual$Servicelstrlenmemcpy$CloseHandlelstrcpy$AllocConfigLocalQuery
String ID: ~~
API String ID: 4179252731-2945576293
Opcode ID: a1b45eeceb69098cce945d41d3140ebbf50484008a946239a46d13f937bb52ff
Instruction ID: 6e9239cd096255358b5af1e1b1fde97ae7f9ae0b1560f91c43158df6c4c76e17
Opcode Fuzzy Hash: a1b45eeceb69098cce945d41d3140ebbf50484008a946239a46d13f937bb52ff
Instruction Fuzzy Hash: D2C1BF26A15B8592F711CF79D5187AC6361FBDAB88F24E215CF4913A12EF35E1E6C300

Function 000002287BC2FCDB Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 233stringservicememoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 000002287BC2FD02
VirtualAlloc.KERNEL32 ref: 000002287BC2FD3F
QueryServiceConfigW.ADVAPI32 ref: 000002287BC2FD64
lstrcpyW.KERNEL32 ref: 000002287BC2FDD6
lstrlenW.KERNEL32 ref: 000002287BC2FE05
memcpy.NTDLL ref: 000002287BC2FEA5
lstrlenW.KERNEL32 ref: 000002287BC2FEC5
memcpy.NTDLL ref: 000002287BC2FEDD
lstrlenW.KERNEL32 ref: 000002287BC2FEE6
memcpy.NTDLL ref: 000002287BC2FF6E
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FF76
VirtualFree.KERNEL32 ref: 000002287BC2FF98
VirtualFree.KERNEL32 ref: 000002287BC2FFA9
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FFD0
LocalFree.KERNEL32 ref: 000002287BC2FFD9
VirtualFree.KERNEL32 ref: 000002287BC30085
VirtualFree.KERNEL32 ref: 000002287BC300AF
VirtualFree.KERNEL32 ref: 000002287BC300C5
VirtualFree.KERNEL32 ref: 000002287BC300EF

Strings

ck(W, xrefs: 000002287BC2FCDB

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtual$Servicelstrlenmemcpy$CloseHandlelstrcpy$AllocConfigLocalQuery
String ID: ck(W
API String ID: 4179252731-3825715661
Opcode ID: a1b45eeceb69098cce945d41d3140ebbf50484008a946239a46d13f937bb52ff
Instruction ID: d4b21c65a7ef8d389424889975383cd7bac7a8210d9fa020d47f92e4b1a50b94
Opcode Fuzzy Hash: a1b45eeceb69098cce945d41d3140ebbf50484008a946239a46d13f937bb52ff
Instruction Fuzzy Hash: EFC1BE26A15B8592F711CF79D5187AC6361FBDAB88F24E215CF4913A12EF35E1E6C300

Function 000002287BC2FCE4 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 233stringservicememoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 000002287BC2FD02
VirtualAlloc.KERNEL32 ref: 000002287BC2FD3F
QueryServiceConfigW.ADVAPI32 ref: 000002287BC2FD64
lstrcpyW.KERNEL32 ref: 000002287BC2FDD6
lstrlenW.KERNEL32 ref: 000002287BC2FE05
memcpy.NTDLL ref: 000002287BC2FEA5
lstrlenW.KERNEL32 ref: 000002287BC2FEC5
memcpy.NTDLL ref: 000002287BC2FEDD
lstrlenW.KERNEL32 ref: 000002287BC2FEE6
memcpy.NTDLL ref: 000002287BC2FF6E
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FF76
VirtualFree.KERNEL32 ref: 000002287BC2FF98
VirtualFree.KERNEL32 ref: 000002287BC2FFA9
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FFD0
LocalFree.KERNEL32 ref: 000002287BC2FFD9
VirtualFree.KERNEL32 ref: 000002287BC30085
VirtualFree.KERNEL32 ref: 000002287BC300AF
VirtualFree.KERNEL32 ref: 000002287BC300C5
VirtualFree.KERNEL32 ref: 000002287BC300EF

Strings

\Pbk-N, xrefs: 000002287BC2FCE4

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtual$Servicelstrlenmemcpy$CloseHandlelstrcpy$AllocConfigLocalQuery
String ID: \Pbk-N
API String ID: 4179252731-2524875733
Opcode ID: a518ca04a80f98a678e0b47f4e262c1edb192ada4c1eaff6745d369851720ab4
Instruction ID: df5e969996d94a2d31b9d0e75d950341d39d5e8ddb0b72d5450f03b89dd73d52
Opcode Fuzzy Hash: a518ca04a80f98a678e0b47f4e262c1edb192ada4c1eaff6745d369851720ab4
Instruction Fuzzy Hash: FCC1BE26A15B8592F711CF79D5187AC6361FBDAB88F24E215CF4913A12EF35E1E6C300

Function 000002287BC19E10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 120windowregistrymemoryCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 000002287BC19E45
IsBadReadPtr.KERNEL32 ref: 000002287BC19E74
EnterCriticalSection.KERNEL32 ref: 000002287BC19E8F
VirtualAlloc.KERNEL32 ref: 000002287BC19EA5
LeaveCriticalSection.KERNEL32 ref: 000002287BC19EC9
CreateWindowExW.USER32 ref: 000002287BC19F1A
GetLastError.KERNEL32 ref: 000002287BC19F38
SetWindowLongPtrW.USER32 ref: 000002287BC19F56
RegisterRawInputDevices.USER32 ref: 000002287BC19F7F
GetLastError.KERNEL32 ref: 000002287BC19F89
GetModuleHandleA.KERNEL32 ref: 000002287BC19F95
SetWindowsHookExW.USER32 ref: 000002287BC19FAC
GetMessageW.USER32 ref: 000002287BC19FC6
TranslateMessage.USER32 ref: 000002287BC19FD5
DispatchMessageW.USER32 ref: 000002287BC19FE0
GetMessageW.USER32 ref: 000002287BC19FF3
UnhookWindowsHookEx.USER32 ref: 000002287BC1A009

Strings

static, xrefs: 000002287BC19EF0

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Message$CreateCriticalErrorHookLastSectionWindowWindows$AllocDevicesDispatchEnterHandleInputLeaveLongModuleReadRegisterThreadTranslateUnhookVirtual
String ID: static
API String ID: 2132721342-2160076837
Opcode ID: 679af59b026f32d1d86beea9d8d419bba1a60b64fbd3c074e0861383a5aaab2b
Instruction ID: c25ab4f47b3294293d315a8f353fc7f3e38d80aa236a8721adc9d6082679a0e9
Opcode Fuzzy Hash: 679af59b026f32d1d86beea9d8d419bba1a60b64fbd3c074e0861383a5aaab2b
Instruction Fuzzy Hash: 7451437A206B80E2F7148FA1F95CB5AB3E6FBC9B44F688016DA4953764DF38C556C700

Function 000002287BC2E560 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 120injectionmemorystringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC2E56E
Process32FirstW.KERNEL32 ref: 000002287BC2E587
lstrcmpiW.KERNEL32 ref: 000002287BC2E5B9
OpenProcess.KERNEL32 ref: 000002287BC2E5D5
VirtualAllocEx.KERNEL32 ref: 000002287BC2E5FC
WriteProcessMemory.KERNEL32 ref: 000002287BC2E61E
CreateRemoteThread.KERNEL32 ref: 000002287BC2E641
CloseHandle.KERNEL32 ref: 000002287BC2E64F
Process32NextW.KERNEL32 ref: 000002287BC2E65D
lstrcmpiW.KERNEL32 ref: 000002287BC2E67C
OpenProcess.KERNEL32 ref: 000002287BC2E696
VirtualAllocEx.KERNEL32 ref: 000002287BC2E6BD
WriteProcessMemory.KERNEL32 ref: 000002287BC2E6E3
CreateRemoteThread.KERNEL32 ref: 000002287BC2E706
CloseHandle.KERNEL32 ref: 000002287BC2E714
Process32NextW.KERNEL32 ref: 000002287BC2E722

Strings

@, xrefs: 000002287BC2E6A6
winlogon.exe, xrefs: 000002287BC2E5AA, 000002287BC2E675

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process$CreateProcess32$AllocCloseHandleMemoryNextOpenRemoteThreadVirtualWritelstrcmpi$FirstSnapshotToolhelp32
String ID: @$winlogon.exe
API String ID: 2717908072-2705468112
Opcode ID: 29f8420343cec9b4b21dc1987b7defb73e85e1454b62bebeda566836a203a5ca
Instruction ID: df10a763c80504bf9086b20f5fea637d31759496d7fcd5d4522a32af3f4cd85d
Opcode Fuzzy Hash: 29f8420343cec9b4b21dc1987b7defb73e85e1454b62bebeda566836a203a5ca
Instruction Fuzzy Hash: CE516029306B4196FB648F96F95C756F3A2FBCAB88F588129CA4947754EF3CC1478700

Function 000002287BC22010 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 212filestringmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC22044

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

lstrcatW.KERNEL32 ref: 000002287BC22060
lstrcatW.KERNEL32 ref: 000002287BC22075
CreateFileW.KERNEL32 ref: 000002287BC220A4
GetFileSize.KERNEL32 ref: 000002287BC220BC
VirtualAlloc.KERNEL32 ref: 000002287BC220D2
CloseHandle.KERNEL32 ref: 000002287BC220E8
VirtualFree.KERNEL32 ref: 000002287BC220FE
ReadFile.KERNEL32 ref: 000002287BC2213B
VirtualFree.KERNEL32 ref: 000002287BC22221
CloseHandle.KERNEL32 ref: 000002287BC2222F
VirtualFree.KERNEL32 ref: 000002287BC222D3
VirtualFree.KERNEL32 ref: 000002287BC222FD
VirtualFree.KERNEL32 ref: 000002287BC22313
VirtualFree.KERNEL32 ref: 000002287BC2233D

Strings

\temp.key, xrefs: 000002287BC22066
C:\Program Files\Windows Mail, xrefs: 000002287BC2204E

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalFreeSection$Read$EnterFile$CloseHandleLeavelstrcat$CreateInitializeSizememset
String ID: C:\Program Files\Windows Mail$\temp.key
API String ID: 1994389154-229217837
Opcode ID: e88102d0544aa8df28727628e5808d0055df72ca167b4125772961bf00e46c06
Instruction ID: 0734c9aecead320b97fd15f750236c3268760cb14b1c4aac02c414c2f0c7f68b
Opcode Fuzzy Hash: e88102d0544aa8df28727628e5808d0055df72ca167b4125772961bf00e46c06
Instruction Fuzzy Hash: 0391D336712B8092FB14CFA6E54CB5AB7A2FBC9B80F14C615DE8A47B54DF38C5568B00

Function 000002287BC1A2F0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 149filestringmemoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000002287BC1A30B
memset.NTDLL ref: 000002287BC1A324
lstrcatW.KERNEL32 ref: 000002287BC1A335
lstrcatW.KERNEL32 ref: 000002287BC1A347
CreateFileW.KERNEL32 ref: 000002287BC1A37E
CreateFileW.KERNEL32 ref: 000002287BC1A3B3
SetFilePointer.KERNEL32 ref: 000002287BC1A3C8
WriteFile.KERNEL32 ref: 000002287BC1A3F7
SetFileAttributesW.KERNEL32 ref: 000002287BC1A406
SetFilePointer.KERNEL32 ref: 000002287BC1A41A
VirtualAlloc.KERNEL32 ref: 000002287BC1A42F
WriteFile.KERNEL32 ref: 000002287BC1A51A
VirtualFree.KERNEL32 ref: 000002287BC1A52B
SetFileAttributesW.KERNEL32 ref: 000002287BC1A53B
CloseHandle.KERNEL32 ref: 000002287BC1A549

Strings

\temp.key, xrefs: 000002287BC1A33B
C:\Program Files\Windows Mail, xrefs: 000002287BC1A329

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: File$AttributesCreatePointerVirtualWritelstrcat$AllocCloseCountFreeHandleTickmemset
String ID: C:\Program Files\Windows Mail$\temp.key
API String ID: 573267298-229217837
Opcode ID: eb73b11bebb12c59d1c57ca0c2106ab5f1786359d010a4a01a80fbb47712b4fd
Instruction ID: 3058e36e624c1998cb6cca66d47aa151f96f75b68eb5694a3fc09ae1b2342a62
Opcode Fuzzy Hash: eb73b11bebb12c59d1c57ca0c2106ab5f1786359d010a4a01a80fbb47712b4fd
Instruction Fuzzy Hash: 4A610576611B8492FB20CF65E50CB99B762FBC9B98F64D211DA8513B54EF3CC50ACB00

Function 000002287BC30CB0 Relevance: 28.7, APIs: 19, Instructions: 182memorysynchronizationsleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000002287BC30D0C
WaitForSingleObject.KERNEL32 ref: 000002287BC30D18
VirtualAlloc.KERNEL32 ref: 000002287BC30D5F
PeekNamedPipe.KERNEL32 ref: 000002287BC30D94
VirtualAlloc.KERNEL32 ref: 000002287BC30DCD
ReadFile.KERNEL32 ref: 000002287BC30DFA
MultiByteToWideChar.KERNEL32 ref: 000002287BC30E20
VirtualAlloc.KERNEL32 ref: 000002287BC30E44
MultiByteToWideChar.KERNEL32 ref: 000002287BC30E72
MultiByteToWideChar.KERNEL32 ref: 000002287BC30E92

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC30ECC
VirtualFree.KERNEL32 ref: 000002287BC30EFF
VirtualFree.KERNEL32 ref: 000002287BC30F2F
VirtualFree.KERNEL32 ref: 000002287BC30F44
LeaveCriticalSection.KERNEL32 ref: 000002287BC30F4E
Sleep.KERNEL32 ref: 000002287BC30F59
EnterCriticalSection.KERNEL32 ref: 000002287BC30F63
WaitForSingleObject.KERNEL32 ref: 000002287BC30F71
LeaveCriticalSection.KERNEL32 ref: 000002287BC30F95

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Enter$FreeLeaveRead$ByteCharMultiWide$ObjectSingleWait$FileInitializeNamedPeekPipeSleep
String ID:
API String ID: 1492683211-0
Opcode ID: 50f4985042c921f4f2bdaf4587066dceb9afccac07f757d897c59e1bf45b3079
Instruction ID: 32b023b0f2e99e54753fa53da00232581685efbcb4157020b61f56b63fcc8344
Opcode Fuzzy Hash: 50f4985042c921f4f2bdaf4587066dceb9afccac07f757d897c59e1bf45b3079
Instruction Fuzzy Hash: AA819336205A80D6F764CF66E508B5AF7E6FBC9B84F54812ADA4987B64DF39C046CB00

Function 000002287BC1F870 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 196memoryinjectionlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC1F6C0: VirtualAlloc.KERNEL32 ref: 000002287BC1F6FE
Part of subcall function 000002287BC1F6C0: memcpy.NTDLL ref: 000002287BC1F71A
Part of subcall function 000002287BC1F6C0: VirtualFree.KERNEL32 ref: 000002287BC1F80F

VirtualAllocEx.KERNEL32 ref: 000002287BC1F8C4
GetLastError.KERNEL32 ref: 000002287BC1F8D2
WriteProcessMemory.KERNEL32 ref: 000002287BC1F8F3
VirtualAllocEx.KERNEL32 ref: 000002287BC1F913
WriteProcessMemory.KERNEL32 ref: 000002287BC1F936
VirtualAllocEx.KERNEL32 ref: 000002287BC1F957
WriteProcessMemory.KERNEL32 ref: 000002287BC1FA37
VirtualProtectEx.KERNEL32 ref: 000002287BC1FA60
VirtualProtectEx.KERNEL32 ref: 000002287BC1FA7C
GetModuleHandleW.KERNEL32 ref: 000002287BC1FA97
GetProcAddress.KERNEL32 ref: 000002287BC1FAA7

Strings

ntdll.dll, xrefs: 000002287BC1FA88
h, xrefs: 000002287BC1F9EF
@, xrefs: 000002287BC1F942
ZwCreateThreadEx, xrefs: 000002287BC1FAA0

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$MemoryProcessWrite$Protect$AddressErrorFreeHandleLastModuleProcmemcpy
String ID: @$ZwCreateThreadEx$h$ntdll.dll
API String ID: 2541485474-1855171776
Opcode ID: 7a8311cc7dc6849816555179bd9628da08200b2fd6494e16f475aad11e460869
Instruction ID: 9795c5a2fbc59824722392a98815b9a64ae14c84efcae4590a67b24dff3091f5
Opcode Fuzzy Hash: 7a8311cc7dc6849816555179bd9628da08200b2fd6494e16f475aad11e460869
Instruction Fuzzy Hash: AE813C627057809AF724CFB9A8587AD7B61F796788F148229DE8563B84CF38C207C750

Function 000002287BC12CB0 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 156comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 000002287BC12CCA
CLSIDFromString.OLE32 ref: 000002287BC12FAD
IIDFromString.OLE32 ref: 000002287BC12FBF
CoCreateInstance.OLE32 ref: 000002287BC12FDC

Strings

\:^:, xrefs: 000002287BC12EF4
X:[:, xrefs: 000002287BC12E4C
:, xrefs: 000002287BC12F50
\:[:, xrefs: 000002287BC12E3D
:_:, xrefs: 000002287BC12D7D
:, xrefs: 000002287BC12F25
^:G:, xrefs: 000002287BC12DD9
:Y:, xrefs: 000002287BC12EE4
Y::, xrefs: 000002287BC12EEC
A::, xrefs: 000002287BC12CDE
Y:\:, xrefs: 000002287BC12D65
X:^:, xrefs: 000002287BC12D75

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FromString$CreateInitializeInstance
String ID: :_:$:Y:$:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
API String ID: 511945936-736265694
Opcode ID: 6f65156dbf696046caf638914e9d193d0eb7e6b3cd83c2f0a31e7d0e7da0aa0e
Instruction ID: 20b4a22b4d1f998a6b623101fc089021a7971585e1727dbe4687e42f0c3b3c94
Opcode Fuzzy Hash: 6f65156dbf696046caf638914e9d193d0eb7e6b3cd83c2f0a31e7d0e7da0aa0e
Instruction Fuzzy Hash: D6910D73919BD5CAE3118F79A4016AABB60F7E5348F10A249EBC466919EB7CE580CF00

Function 000002287BC2ADC0 Relevance: 27.3, APIs: 18, Instructions: 252networkthreadCOMMON

Download Yara Rule

APIs

WSACreateEvent.WS2_32 ref: 000002287BC2AE5C
WSACreateEvent.WS2_32 ref: 000002287BC2AE6A
WSAEventSelect.WS2_32 ref: 000002287BC2AE8E
WSAEventSelect.WS2_32 ref: 000002287BC2AEA7
WSAWaitForMultipleEvents.WS2_32 ref: 000002287BC2AEE6
WSAEnumNetworkEvents.WS2_32 ref: 000002287BC2AF12
WSAEnumNetworkEvents.WS2_32 ref: 000002287BC2AFA0
WSAWaitForMultipleEvents.WS2_32 ref: 000002287BC2B026
VirtualFree.KERNEL32 ref: 000002287BC2B06D
VirtualFree.KERNEL32 ref: 000002287BC2B097
VirtualFree.KERNEL32 ref: 000002287BC2B0B2
VirtualFree.KERNEL32 ref: 000002287BC2B0DC
VirtualFree.KERNEL32 ref: 000002287BC2B0F2
GetCurrentThreadId.KERNEL32 ref: 000002287BC2B0FD
IsBadReadPtr.KERNEL32 ref: 000002287BC2B10D
EnterCriticalSection.KERNEL32 ref: 000002287BC2B11C
VirtualFree.KERNEL32 ref: 000002287BC2B162
LeaveCriticalSection.KERNEL32 ref: 000002287BC2B16D

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtual$EventEvents$CreateCriticalEnumMultipleNetworkSectionSelectWait$CurrentEnterLeaveReadThread
String ID:
API String ID: 4074094491-0
Opcode ID: 9e91bfc9ef544f9a95d43254c8dff832cda68e6186363fcb9a4b6ce2138c1c54
Instruction ID: e60ca4a273181684cb82f39fff0b6e4accb5ab6a4b0eb08f38c1f533accb1e0f
Opcode Fuzzy Hash: 9e91bfc9ef544f9a95d43254c8dff832cda68e6186363fcb9a4b6ce2138c1c54
Instruction Fuzzy Hash: D6B1933A202B4092FB65DF96E48C799B3A2FBC9B94F248115EE5A43794DF38C496C700

Function 000002287BC2FCC0 Relevance: 25.7, APIs: 17, Instructions: 233stringservicememoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 000002287BC2FD02
VirtualAlloc.KERNEL32 ref: 000002287BC2FD3F
QueryServiceConfigW.ADVAPI32 ref: 000002287BC2FD64
lstrcpyW.KERNEL32 ref: 000002287BC2FDD6
lstrlenW.KERNEL32 ref: 000002287BC2FE05
memcpy.NTDLL ref: 000002287BC2FEA5
lstrlenW.KERNEL32 ref: 000002287BC2FEC5
memcpy.NTDLL ref: 000002287BC2FEDD
lstrlenW.KERNEL32 ref: 000002287BC2FEE6
memcpy.NTDLL ref: 000002287BC2FF6E
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FF76
VirtualFree.KERNEL32 ref: 000002287BC2FF98
VirtualFree.KERNEL32 ref: 000002287BC2FFA9
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FFD0
LocalFree.KERNEL32 ref: 000002287BC2FFD9
VirtualFree.KERNEL32 ref: 000002287BC30085
VirtualFree.KERNEL32 ref: 000002287BC300AF
VirtualFree.KERNEL32 ref: 000002287BC300C5
VirtualFree.KERNEL32 ref: 000002287BC300EF

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtual$Servicelstrlenmemcpy$CloseHandlelstrcpy$AllocConfigLocalQuery
String ID:
API String ID: 4179252731-0
Opcode ID: a3856b18d4b71ffe09753b2843bea3402236ed1a4c29b22b69b3066f206c14ee
Instruction ID: e72e8a1140d1f164fc9174a3b10c8849742074417fe26279ebcaee2c915976ea
Opcode Fuzzy Hash: a3856b18d4b71ffe09753b2843bea3402236ed1a4c29b22b69b3066f206c14ee
Instruction Fuzzy Hash: 7DC1BE26A15B8592F711CF79D5187AC6361FBDAB88F24E215CF4913A12EF35E1E6C300

Function 000002287BC2FCC9 Relevance: 25.7, APIs: 17, Instructions: 233stringservicememoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 000002287BC2FD02
VirtualAlloc.KERNEL32 ref: 000002287BC2FD3F
QueryServiceConfigW.ADVAPI32 ref: 000002287BC2FD64
lstrcpyW.KERNEL32 ref: 000002287BC2FDD6
lstrlenW.KERNEL32 ref: 000002287BC2FE05
memcpy.NTDLL ref: 000002287BC2FEA5
lstrlenW.KERNEL32 ref: 000002287BC2FEC5
memcpy.NTDLL ref: 000002287BC2FEDD
lstrlenW.KERNEL32 ref: 000002287BC2FEE6
memcpy.NTDLL ref: 000002287BC2FF6E
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FF76
VirtualFree.KERNEL32 ref: 000002287BC2FF98
VirtualFree.KERNEL32 ref: 000002287BC2FFA9
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FFD0
LocalFree.KERNEL32 ref: 000002287BC2FFD9
VirtualFree.KERNEL32 ref: 000002287BC30085
VirtualFree.KERNEL32 ref: 000002287BC300AF
VirtualFree.KERNEL32 ref: 000002287BC300C5
VirtualFree.KERNEL32 ref: 000002287BC300EF

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtual$Servicelstrlenmemcpy$CloseHandlelstrcpy$AllocConfigLocalQuery
String ID:
API String ID: 4179252731-0
Opcode ID: c254307e67488c3623d58bee08e06feaecd280e700d2345b01e4a01756176830
Instruction ID: c552eb847bae7f7da368cd261e14d98a0ac04bc90eb27114fa4e234a890d311a
Opcode Fuzzy Hash: c254307e67488c3623d58bee08e06feaecd280e700d2345b01e4a01756176830
Instruction Fuzzy Hash: 6AC1BE26A15B8592F711CF79D5187AC6361FBDAB88F24E215CF4913A12EF35E1E6C300

Function 000002287BC2FCD2 Relevance: 25.7, APIs: 17, Instructions: 233stringservicememoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 000002287BC2FD02
VirtualAlloc.KERNEL32 ref: 000002287BC2FD3F
QueryServiceConfigW.ADVAPI32 ref: 000002287BC2FD64
lstrcpyW.KERNEL32 ref: 000002287BC2FDD6
lstrlenW.KERNEL32 ref: 000002287BC2FE05
memcpy.NTDLL ref: 000002287BC2FEA5
lstrlenW.KERNEL32 ref: 000002287BC2FEC5
memcpy.NTDLL ref: 000002287BC2FEDD
lstrlenW.KERNEL32 ref: 000002287BC2FEE6
memcpy.NTDLL ref: 000002287BC2FF6E
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FF76
VirtualFree.KERNEL32 ref: 000002287BC2FF98
VirtualFree.KERNEL32 ref: 000002287BC2FFA9
CloseServiceHandle.ADVAPI32 ref: 000002287BC2FFD0
LocalFree.KERNEL32 ref: 000002287BC2FFD9
VirtualFree.KERNEL32 ref: 000002287BC30085
VirtualFree.KERNEL32 ref: 000002287BC300AF
VirtualFree.KERNEL32 ref: 000002287BC300C5
VirtualFree.KERNEL32 ref: 000002287BC300EF

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtual$Servicelstrlenmemcpy$CloseHandlelstrcpy$AllocConfigLocalQuery
String ID:
API String ID: 4179252731-0
Opcode ID: d09215ca54577ca17aa5ff3024d3fa94f371ecf659accf61201443d43b535354
Instruction ID: 1891bcd84954314b9e243f0f9a109d3c057f3f0ed10fa5e048e56fde235a90b3
Opcode Fuzzy Hash: d09215ca54577ca17aa5ff3024d3fa94f371ecf659accf61201443d43b535354
Instruction Fuzzy Hash: A4C1BE26A15B8592F711CF79D5187AC6361FBDAB88F24E215CF4913A12EF35E1E6C300

Function 000002287BC25050 Relevance: 25.7, APIs: 17, Instructions: 224memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC2509E
VirtualFree.KERNEL32 ref: 000002287BC250C8
VirtualAlloc.KERNEL32 ref: 000002287BC250DF
VirtualAlloc.KERNEL32 ref: 000002287BC2517F
InitializeCriticalSection.KERNEL32 ref: 000002287BC25199
CreateEventW.KERNEL32 ref: 000002287BC251B6
VirtualFree.KERNEL32 ref: 000002287BC2521D
VirtualFree.KERNEL32 ref: 000002287BC25247
CloseHandle.KERNEL32 ref: 000002287BC25268
IsBadReadPtr.KERNEL32 ref: 000002287BC2527E
IsBadReadPtr.KERNEL32 ref: 000002287BC252A5
WaitForMultipleObjects.KERNEL32 ref: 000002287BC252E6
CloseHandle.KERNEL32 ref: 000002287BC252F9
IsBadReadPtr.KERNEL32 ref: 000002287BC25318
VirtualFree.KERNEL32 ref: 000002287BC25366
VirtualFree.KERNEL32 ref: 000002287BC25390
VirtualFree.KERNEL32 ref: 000002287BC253BD

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalFreeSection$Read$Enter$CloseHandleInitializeLeave$CreateEventMultipleObjectsWait
String ID:
API String ID: 1725847572-0
Opcode ID: f549322a3b5621ab8d80f2d6d8757b4ebdbe63a63a0333a4f599cac5bba947b8
Instruction ID: 3bf7b7de43bd9a5063212241038170865860d5ffe95aebe904f72442e4724719
Opcode Fuzzy Hash: f549322a3b5621ab8d80f2d6d8757b4ebdbe63a63a0333a4f599cac5bba947b8
Instruction Fuzzy Hash: 04A11C3A202B4096FB54CFA2E55876AB3A6FBC9F94F54C125CE4A43B54DF38C496C740

Function 000002287BC337F0 Relevance: 25.7, APIs: 17, Instructions: 183filememoryCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 000002287BC33837
memcpy.NTDLL ref: 000002287BC33849
CreateFileW.KERNEL32 ref: 000002287BC33888
GetFileSize.KERNEL32 ref: 000002287BC338B1
SetFilePointer.KERNEL32 ref: 000002287BC338CD
VirtualAlloc.KERNEL32 ref: 000002287BC338E4
GetLastError.KERNEL32 ref: 000002287BC338F2
free.MSVCRT ref: 000002287BC33906
ReadFile.KERNEL32 ref: 000002287BC3394C
VirtualFree.KERNEL32 ref: 000002287BC33A18
VirtualFree.KERNEL32 ref: 000002287BC33A42
VirtualFree.KERNEL32 ref: 000002287BC33A58
VirtualFree.KERNEL32 ref: 000002287BC33A82
GetLastError.KERNEL32 ref: 000002287BC33A8A
VirtualFree.KERNEL32 ref: 000002287BC33AA6

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

GetLastError.KERNEL32 ref: 000002287BC33AB1
free.MSVCRT ref: 000002287BC33AC5

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$Free$FileRead$EnterErrorLast$Leavefree$CreateInitializePointerSizemallocmemcpy
String ID:
API String ID: 1128571104-0
Opcode ID: 280e83c3d331265542770051d0c8d276843b1b8b5e3364cd17c4caa20576ede8
Instruction ID: 7f35b7077f8da301631d50f5652bc7b370f5f47ca9db57c858c160d8b52d9038
Opcode Fuzzy Hash: 280e83c3d331265542770051d0c8d276843b1b8b5e3364cd17c4caa20576ede8
Instruction Fuzzy Hash: 7571933A306B8096F764CFA2E95C75AB7A2FBC9B94F508115DE8A43B54DF39C046DB00

Function 000002287BC2E0A0 Relevance: 25.7, APIs: 17, Instructions: 170keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32 ref: 000002287BC2E0B4
BlockInput.USER32 ref: 000002287BC2E0F1
GetDC.USER32 ref: 000002287BC2E134
GetDeviceCaps.GDI32 ref: 000002287BC2E19C
GetDeviceCaps.GDI32 ref: 000002287BC2E1AA
GetDeviceCaps.GDI32 ref: 000002287BC2E1B8
GetDeviceCaps.GDI32 ref: 000002287BC2E1E6
MapVirtualKeyW.USER32 ref: 000002287BC2E24C
keybd_event.USER32 ref: 000002287BC2E260
BlockInput.USER32 ref: 000002287BC2E3E5

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CapsDevice$BlockInput$Virtualkeybd_event
String ID:
API String ID: 4019288356-0
Opcode ID: d66eda08ee5622a6591ffe4f6a43e3dc4b0c4fb3f8c5729876a8739658834e50
Instruction ID: 4e7af33cd48b3daf493620b0deed5b28ce90865ac8a5f821b32134e39859deb3
Opcode Fuzzy Hash: d66eda08ee5622a6591ffe4f6a43e3dc4b0c4fb3f8c5729876a8739658834e50
Instruction Fuzzy Hash: 3061273A61568093F3659FB1A80CB9AB3E2FBCE745F64C212DA4613664DF38D486C700

Function 000002287BC56700 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 258stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 000002287BC5672A

Strings

%s: malformed ip address, xrefs: 000002287BC56A21
lws_create_vhost, xrefs: 000002287BC5670D
lws_parse_numeric_address, xrefs: 000002287BC569CB, 000002287BC56A15
%s: ended on e %d, xrefs: 000002287BC569D2

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: strchr
String ID: %s: ended on e %d$%s: malformed ip address$lws_create_vhost$lws_parse_numeric_address
API String ID: 2830005266-2525933588
Opcode ID: f2ddd9f25b7366d5a724c830f8fff6cd8c50e6db8bcb4e026864a35d7b1d132e
Instruction ID: eed3174da902dd9fc516eba1dd01609941674db035a3c4036d1037b8e8f8571d
Opcode Fuzzy Hash: f2ddd9f25b7366d5a724c830f8fff6cd8c50e6db8bcb4e026864a35d7b1d132e
Instruction Fuzzy Hash: 57A1FA1930668075FA20CEB8940C3AAF653AFE17A8F78D231EAA7876D5DF35C4478301

Function 000002287BC17530 Relevance: 24.2, APIs: 16, Instructions: 212pipeCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC17583

Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1364B
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1365D
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13670
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13687
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136B6
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC136C8
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136DB
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136F2
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13721
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13733
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13746
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1375D
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1378C
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1379E
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC137B4

Part of subcall function 000002287BC16DD0: memcpy.NTDLL ref: 000002287BC16DEE
Part of subcall function 000002287BC16DD0: memset.NTDLL ref: 000002287BC16E00
Part of subcall function 000002287BC16DD0: lstrcatA.KERNEL32 ref: 000002287BC16E20
Part of subcall function 000002287BC16DD0: lstrcatW.KERNEL32 ref: 000002287BC16E54

VirtualFree.KERNEL32 ref: 000002287BC175AD
VirtualFree.KERNEL32 ref: 000002287BC175FD
VirtualFree.KERNEL32 ref: 000002287BC17627
VirtualFree.KERNEL32 ref: 000002287BC1764F
VirtualFree.KERNEL32 ref: 000002287BC17679
DisconnectNamedPipe.KERNEL32 ref: 000002287BC176A6
CloseHandle.KERNEL32 ref: 000002287BC176B5
DeleteCriticalSection.KERNEL32 ref: 000002287BC176C3
VirtualFree.KERNEL32 ref: 000002287BC176D4
VirtualFree.KERNEL32 ref: 000002287BC17775
VirtualFree.KERNEL32 ref: 000002287BC1779F
VirtualFree.KERNEL32 ref: 000002287BC177B5
VirtualFree.KERNEL32 ref: 000002287BC177DF
VirtualFree.KERNEL32 ref: 000002287BC177F5

Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC137D8
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC137F1
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13807
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1382B
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13844
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1385A
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13886
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1389F
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC138B5
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC138D9
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC138F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13908

Part of subcall function 000002287BC16D20: IsBadReadPtr.KERNEL32 ref: 000002287BC16D43
Part of subcall function 000002287BC16D20: EnterCriticalSection.KERNEL32(?,?,00000038,000002287BC17306), ref: 000002287BC16D5E
Part of subcall function 000002287BC16D20: LeaveCriticalSection.KERNEL32(?,?,00000038,000002287BC17306), ref: 000002287BC16D81

VirtualFree.KERNEL32 ref: 000002287BC1781F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$Free$EnterRead$Leave$Alloc$lstrcat$CloseDeleteDisconnectHandleInitializeNamedPipememcpymemset
String ID:
API String ID: 4255235403-0
Opcode ID: e1d690db24f22856ec17527d38dac099748b77a5963b07838ac948ce36aa8f80
Instruction ID: 8915407df39c22206e9da8d0c7dcf2660c77833bdd62b756d4072b39fcdfdd01
Opcode Fuzzy Hash: e1d690db24f22856ec17527d38dac099748b77a5963b07838ac948ce36aa8f80
Instruction Fuzzy Hash: 85918E69702B4096FB64DFA7E558729B3A2FBC9F84F18C125CE8A43B55DF38D4928700

Function 000002287BC215B0 Relevance: 24.1, APIs: 16, Instructions: 140networkmemorythreadCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC215D8
VirtualFree.KERNEL32 ref: 000002287BC2163F
VirtualFree.KERNEL32 ref: 000002287BC21669
socket.WS2_32 ref: 000002287BC2167D
setsockopt.WS2_32 ref: 000002287BC216AF
htons.WS2_32 ref: 000002287BC216CA
inet_addr.WS2_32 ref: 000002287BC216DF
htonl.WS2_32 ref: 000002287BC216E9
bind.WS2_32 ref: 000002287BC21702
WSAGetLastError.WS2_32 ref: 000002287BC2170C
listen.WS2_32 ref: 000002287BC21726
CreateThread.KERNEL32 ref: 000002287BC21754
IsBadReadPtr.KERNEL32 ref: 000002287BC2176D
EnterCriticalSection.KERNEL32 ref: 000002287BC21780
VirtualAlloc.KERNEL32 ref: 000002287BC21797
LeaveCriticalSection.KERNEL32 ref: 000002287BC217BB

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalFreeSection$AllocCreateEnterErrorLastLeaveReadThreadbindhtonlhtonsinet_addrlistenmemsetsetsockoptsocket
String ID:
API String ID: 1206800484-0
Opcode ID: 1dc4caeba9d830bc8edcec2d178dadc19b4577220f64b26f3bb4bee7fae4f170
Instruction ID: 77aebc18db9af0b596689b897f7442d54341898d1aa12f03b410f3621d9fe127
Opcode Fuzzy Hash: 1dc4caeba9d830bc8edcec2d178dadc19b4577220f64b26f3bb4bee7fae4f170
Instruction Fuzzy Hash: 2951513A216B50E2FB248FA1E95879DB3A1FBC9F45F548026DB4A43B54DF38C596CB00

Function 000002287BC3DE90 Relevance: 22.9, APIs: 1, Strings: 14, Instructions: 382stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC432A0: memset.NTDLL ref: 000002287BC4333D

strcmp.MSVCRT ref: 000002287BC3E3C3

Strings

system, xrefs: 000002287BC3E009
raw-proxy, xrefs: 000002287BC3E3BC
novh, xrefs: 000002287BC3E291
lws not configured for tls, xrefs: 000002287BC3E21E
free, xrefs: 000002287BC3DF98, 000002287BC3E4D5
unable to bind to role, xrefs: 000002287BC3E106
%s/%s/%s/%s, xrefs: 000002287BC3E305
No vhost in the context, xrefs: 000002287BC3E0C2
default, xrefs: 000002287BC3DF30
lws_free, xrefs: 000002287BC3DFA6
MQTT, xrefs: 000002287BC3E475
no vhost, xrefs: 000002287BC3DF6D
lws_client_connect_via_info, xrefs: 000002287BC3DF66, 000002287BC3E0C9, 000002287BC3E1B5
YZ[\X]^_RAW, xrefs: 000002287BC3E498

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: memsetstrcmp
String ID: %s/%s/%s/%s$MQTT$No vhost in the context$YZ[\X]^_RAW$default$free$lws not configured for tls$lws_client_connect_via_info$lws_free$no vhost$novh$raw-proxy$system$unable to bind to role
API String ID: 195427100-1777779229
Opcode ID: 60066d02c62946ac0b75382c712d1b8b03b8e31035fade1f2dcec241d2fc0af3
Instruction ID: 252dcf31b55913e8f9504fd337668294a44e4f637b198da5aecb17ea9a0eac7f
Opcode Fuzzy Hash: 60066d02c62946ac0b75382c712d1b8b03b8e31035fade1f2dcec241d2fc0af3
Instruction Fuzzy Hash: 5102C43A202B85A2FB95CFA1E4483A9B3A1F789B88F948036DF4D47754DF34D166D311

Function 000002287BC56BC0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 180networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 000002287BC56C97
_unlink.MSVCRT ref: 000002287BC56DA0
bind.WS2_32 ref: 000002287BC56DBC
WSAGetLastError.WS2_32 ref: 000002287BC56DCD
getsockname.WS2_32 ref: 000002287BC56E7A
htons.WS2_32 ref: 000002287BC56E8B

Strings

"%s" too long for UNIX domain socket, xrefs: 000002287BC56D0F
lws_create_vhost, xrefs: 000002287BC56BCC
ERROR on binding fd %d to port %d (%d %d), xrefs: 000002287BC56E38
lws_socket_bind, xrefs: 000002287BC56D19, 000002287BC56DE7
@, xrefs: 000002287BC56D8E
ERROR on binding fd %d to "%s" (%d %d), xrefs: 000002287BC56E07

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: htons$ErrorLast_unlinkbindgetsockname
String ID: "%s" too long for UNIX domain socket$@$ERROR on binding fd %d to "%s" (%d %d)$ERROR on binding fd %d to port %d (%d %d)$lws_create_vhost$lws_socket_bind
API String ID: 4073785539-2597659182
Opcode ID: 5e646ba5ba94863d0a73da8f5214a4b9298205cd5804bd77cd5bf3180035a833
Instruction ID: 9eb50bf8e21373d5d7809c9c064cd0516244fb549758653eb975a6ea8efa7e94
Opcode Fuzzy Hash: 5e646ba5ba94863d0a73da8f5214a4b9298205cd5804bd77cd5bf3180035a833
Instruction Fuzzy Hash: 958107766057C096F720CFA0E8443EDB7A2F7E5798F609626EE8947A59DF38C186C700

Function 000002287BC11C70 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103memorynativesynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 000002287BC11C92
VirtualAlloc.KERNEL32 ref: 000002287BC11CB9

Part of subcall function 000002287BC207E0: VirtualAlloc.KERNEL32(?,?,?,?,?,?,00100000,000002287BC11B37), ref: 000002287BC207F7
Part of subcall function 000002287BC207E0: GetCurrentProcess.KERNEL32 ref: 000002287BC20828
Part of subcall function 000002287BC207E0: OpenProcessToken.ADVAPI32 ref: 000002287BC20839
Part of subcall function 000002287BC207E0: LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC20861
Part of subcall function 000002287BC207E0: AdjustTokenPrivileges.KERNELBASE ref: 000002287BC20881
Part of subcall function 000002287BC207E0: GetLastError.KERNEL32 ref: 000002287BC20887
Part of subcall function 000002287BC207E0: CloseHandle.KERNEL32 ref: 000002287BC2089B
Part of subcall function 000002287BC207E0: VirtualAlloc.KERNEL32 ref: 000002287BC208B2
Part of subcall function 000002287BC207E0: InitializeCriticalSection.KERNEL32 ref: 000002287BC208C4
Part of subcall function 000002287BC207E0: IsBadReadPtr.KERNEL32 ref: 000002287BC208DD
Part of subcall function 000002287BC207E0: EnterCriticalSection.KERNEL32 ref: 000002287BC208F0
Part of subcall function 000002287BC207E0: VirtualAlloc.KERNEL32 ref: 000002287BC20907
Part of subcall function 000002287BC207E0: LeaveCriticalSection.KERNEL32 ref: 000002287BC20936
Part of subcall function 000002287BC207E0: IsBadReadPtr.KERNEL32 ref: 000002287BC20948
Part of subcall function 000002287BC207E0: EnterCriticalSection.KERNEL32 ref: 000002287BC2095B
Part of subcall function 000002287BC207E0: VirtualAlloc.KERNEL32 ref: 000002287BC20972

WaitForSingleObject.KERNEL32 ref: 000002287BC11CDD
NtQuerySystemInformation.NTDLL ref: 000002287BC11CFB
VirtualFree.KERNEL32 ref: 000002287BC11D19
VirtualAlloc.KERNEL32 ref: 000002287BC11D2D
memset.NTDLL ref: 000002287BC11D49
NtQuerySystemInformation.NTDLL ref: 000002287BC11D62
lstrcmpiW.KERNEL32 ref: 000002287BC11D83
WaitForSingleObject.KERNEL32 ref: 000002287BC11DD0
CloseHandle.KERNEL32 ref: 000002287BC11DE4

Strings

perfmon.exe, xrefs: 000002287BC11D7C

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$CriticalSection$CloseEnterHandleInformationObjectProcessQueryReadSingleSystemTokenWait$AdjustCreateCurrentErrorEventFreeInitializeLastLeaveLookupOpenPrivilegePrivilegesValuelstrcmpimemset
String ID: perfmon.exe
API String ID: 441768363-2343862317
Opcode ID: dfac3d95dafb68267b964dbcae157b1c23b791cd9a1bfc5cf907826d86bec976
Instruction ID: 4284110f3e8ad36c01a2b403e3fd955a666258c0186cb520eabeef9f8da1423c
Opcode Fuzzy Hash: dfac3d95dafb68267b964dbcae157b1c23b791cd9a1bfc5cf907826d86bec976
Instruction Fuzzy Hash: AE419D79316658A2FB249F97A91CB2AF7A3EBC5BD0F24C019DD4653A94DF38C8068740

Function 000002287BC1AC30 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84windowregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002287BC1AC83
RegisterClassW.USER32 ref: 000002287BC1ACA6
CreateWindowExW.USER32 ref: 000002287BC1ACFC
SetWindowLongPtrW.USER32 ref: 000002287BC1AD19
WTSRegisterSessionNotification.WTSAPI32 ref: 000002287BC1AD27
ShowWindow.USER32 ref: 000002287BC1AD36
GetMessageW.USER32 ref: 000002287BC1AD61
TranslateMessage.USER32 ref: 000002287BC1AD75
DispatchMessageW.USER32 ref: 000002287BC1AD80
GetMessageW.USER32 ref: 000002287BC1AD93
WTSUnRegisterSessionNotification.WTSAPI32 ref: 000002287BC1ADA0

Strings

Session Logon, xrefs: 000002287BC1ACB4

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Message$RegisterWindow$NotificationSession$ClassCreateDispatchHandleLongModuleShowTranslate
String ID: Session Logon
API String ID: 1979525249-2950959013
Opcode ID: 942ff96f7553420a477438ac6e2418f63b7fa3dd18cc102ed8dea73c53fc66ba
Instruction ID: deec788e3572e4054e3524e2106d7e29d8907fc7a93affc03eb618197d8c8d91
Opcode Fuzzy Hash: 942ff96f7553420a477438ac6e2418f63b7fa3dd18cc102ed8dea73c53fc66ba
Instruction Fuzzy Hash: FD418436619B81D2F710CF65F85C75AF3A2FBDA754F649225EA8947A24DF38C086CB00

Function 000002287BC18100 Relevance: 19.7, APIs: 13, Instructions: 166memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC18154
VirtualFree.KERNEL32 ref: 000002287BC1817E
VirtualAlloc.KERNEL32 ref: 000002287BC18195
VirtualAlloc.KERNEL32 ref: 000002287BC18232
InitializeCriticalSection.KERNEL32 ref: 000002287BC18244
CreateEventW.KERNEL32 ref: 000002287BC18264
VirtualFree.KERNEL32 ref: 000002287BC182CE
VirtualFree.KERNEL32 ref: 000002287BC182F8
GetCurrentThreadId.KERNEL32 ref: 000002287BC182FE
IsBadReadPtr.KERNEL32 ref: 000002287BC18315
EnterCriticalSection.KERNEL32 ref: 000002287BC18328
VirtualAlloc.KERNEL32 ref: 000002287BC1833F
LeaveCriticalSection.KERNEL32 ref: 000002287BC18363

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterFreeRead$Leave$Initialize$CreateCurrentEventThread
String ID:
API String ID: 3016386783-0
Opcode ID: e3a285b25eaabced6866736b6333e0fc7fa7b9c2b93cdea91f4aefe8000903a1
Instruction ID: 6ef636c9effe307efddf739d039eff90c71debc3d44ed8185890156cd908741e
Opcode Fuzzy Hash: e3a285b25eaabced6866736b6333e0fc7fa7b9c2b93cdea91f4aefe8000903a1
Instruction Fuzzy Hash: 6771733A202F4096FB24CFA2E94C659B3A6FB88B80F55C125DF8A43B64DF38D556C740

Function 000002287BC33580 Relevance: 19.7, APIs: 13, Instructions: 162fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 000002287BC335AA
CreateFileW.KERNEL32 ref: 000002287BC3360E
SetFilePointer.KERNEL32 ref: 000002287BC33651
WriteFile.KERNEL32 ref: 000002287BC33673
GetFileSize.KERNEL32 ref: 000002287BC33683
GetLastError.KERNEL32 ref: 000002287BC33691
VirtualFree.KERNEL32 ref: 000002287BC33733
VirtualFree.KERNEL32 ref: 000002287BC3375D
VirtualFree.KERNEL32 ref: 000002287BC33773
VirtualFree.KERNEL32 ref: 000002287BC3379D
free.MSVCRT ref: 000002287BC337A6

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FileFreeVirtual$CreateErrorLastPointerSizeWritefreemalloc
String ID:
API String ID: 287149550-0
Opcode ID: 6e8d475b8603f0748b7fbf2bb7a43d35069488cfdf279624691fd4053f346cd2
Instruction ID: 1983167751c711052853524a3b344d7fa68c2bd6d1d16633401927264b0b5694
Opcode Fuzzy Hash: 6e8d475b8603f0748b7fbf2bb7a43d35069488cfdf279624691fd4053f346cd2
Instruction Fuzzy Hash: 32617076312B8096FB24CF62E95875AB3A6FBC9F94F148515CE8A47B54DF38C096CB00

Function 000002287BC1AFA0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80windowclipboardregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002287BC1AFD8
RegisterClassW.USER32 ref: 000002287BC1AFFD
CreateWindowExW.USER32 ref: 000002287BC1B05B
SetClipboardViewer.USER32 ref: 000002287BC1B070
ShowWindow.USER32 ref: 000002287BC1B082
GetMessageW.USER32 ref: 000002287BC1B0AA
TranslateMessage.USER32 ref: 000002287BC1B0B9
DispatchMessageW.USER32 ref: 000002287BC1B0C4
GetMessageW.USER32 ref: 000002287BC1B0D7
ChangeClipboardChain.USER32 ref: 000002287BC1B0EB

Strings

CutActive, xrefs: 000002287BC1AFDE

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Message$ClipboardWindow$ChainChangeClassCreateDispatchHandleModuleRegisterShowTranslateViewer
String ID: CutActive
API String ID: 3542119435-15800375
Opcode ID: 92024b0bde8b3bff67f886c4a971c1a60dd38fa2e23f31450fe170ca41bc3e37
Instruction ID: 8df1424bdc2402b4c00e1e8ade8816d8c638e4ee9f0fb0244f1cc4cf02ebfb68
Opcode Fuzzy Hash: 92024b0bde8b3bff67f886c4a971c1a60dd38fa2e23f31450fe170ca41bc3e37
Instruction Fuzzy Hash: E3419576615BC192FB20CF61F59875AB3A2FBD9744F659125EA8943A14DF38C085C700

Function 000002287BC205E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000002287BC20612
OpenProcessToken.ADVAPI32 ref: 000002287BC20623
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC2064B
AdjustTokenPrivileges.ADVAPI32 ref: 000002287BC2066B
GetLastError.KERNEL32 ref: 000002287BC20671
CloseHandle.KERNEL32 ref: 000002287BC20685
VirtualAlloc.KERNEL32 ref: 000002287BC2069E
GetLastError.KERNEL32 ref: 000002287BC206AC
memcpy.NTDLL ref: 000002287BC206BE

Strings

SeDebugPrivilege, xrefs: 000002287BC2063A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ErrorLastProcessToken$AdjustAllocCloseCurrentHandleLookupOpenPrivilegePrivilegesValueVirtualmemcpy
String ID: SeDebugPrivilege
API String ID: 941393880-2896544425
Opcode ID: 64d226b9670f49d8a9e0e705f923d0f2e7b35577b626c09a55b078f8c501a6b6
Instruction ID: 6c6f791493302abf325a8a09e62bd9911342f299f5dd8de4e403c6cd3da17504
Opcode Fuzzy Hash: 64d226b9670f49d8a9e0e705f923d0f2e7b35577b626c09a55b078f8c501a6b6
Instruction Fuzzy Hash: C1317175206B41D2F754DFA6B948A8AB7A1F7C4B94F248126AE5A437A4DF38C446CB00

Function 000002287BC13F70 Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 271memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualAlloc.KERNEL32 ref: 000002287BC13FE6
VirtualAlloc.KERNEL32 ref: 000002287BC1410D
VirtualFree.KERNEL32 ref: 000002287BC14126
VirtualFree.KERNEL32 ref: 000002287BC1413C
VirtualFree.KERNEL32 ref: 000002287BC14240
VirtualFree.KERNEL32 ref: 000002287BC1426A
VirtualFree.KERNEL32 ref: 000002287BC1427B
VirtualFree.KERNEL32 ref: 000002287BC14166

Part of subcall function 000002287BC151D0: _time64.MSVCRT ref: 000002287BC15240
Part of subcall function 000002287BC151D0: srand.MSVCRT ref: 000002287BC15249
Part of subcall function 000002287BC151D0: rand.MSVCRT ref: 000002287BC15260

VirtualFree.KERNEL32 ref: 000002287BC1432F
VirtualFree.KERNEL32 ref: 000002287BC14359

Strings

:, xrefs: 000002287BC142E0

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$Alloc$CriticalSection$EnterRead$Leave$Initialize_time64randsrand
String ID: :
API String ID: 3336294232-336475711
Opcode ID: 4a1ee15b70e983d72f2b6c8e8c89807c7b3f2bf339b37207a4164e15b2f1c3b3
Instruction ID: a90a99278ee96c7a1bf51705e177d36a790407bd77c36a876869d4d1712c8bf9
Opcode Fuzzy Hash: 4a1ee15b70e983d72f2b6c8e8c89807c7b3f2bf339b37207a4164e15b2f1c3b3
Instruction Fuzzy Hash: 5DB1D366711B8182FB158F7AE408769A7A2FBCAF84F24D225DE8957744EF38C446CB40

Function 000002287BC1FE70 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000002287BC1FEA1
OpenProcessToken.ADVAPI32 ref: 000002287BC1FEB4
LookupPrivilegeValueW.ADVAPI32 ref: 000002287BC1FEDC
AdjustTokenPrivileges.ADVAPI32 ref: 000002287BC1FF06
GetLastError.KERNEL32 ref: 000002287BC1FF0C
CloseHandle.KERNEL32 ref: 000002287BC1FF20
OpenProcess.KERNEL32 ref: 000002287BC1FF30
GetLastError.KERNEL32 ref: 000002287BC1FF58

Strings

SeDebugPrivilege, xrefs: 000002287BC1FECB

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process$ErrorLastOpenToken$AdjustCloseCurrentHandleLookupPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3627867324-2896544425
Opcode ID: 957489cac4136593f29e2710016b529f371e9bf1ab0a929def486fffce1b8d9d
Instruction ID: 1efa2491ec4f2842813b561088a9878c844b6f31c9ab99e83eb1c9f9f05710ba
Opcode Fuzzy Hash: 957489cac4136593f29e2710016b529f371e9bf1ab0a929def486fffce1b8d9d
Instruction Fuzzy Hash: 3C215E79216B44D1F750CF51F51C74AB2A2FBC5BA4F248216AAAA93BE4DF78C0068B40

Function 000002287BC1D580 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC1D5A9

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC1D5E2
VirtualFree.KERNEL32 ref: 000002287BC1D60C
VirtualFree.KERNEL32 ref: 000002287BC1D664
VirtualFree.KERNEL32 ref: 000002287BC1D68E
ShellExecuteW.SHELL32 ref: 000002287BC1D6BA
ShellExecuteW.SHELL32 ref: 000002287BC1D6E9

Strings

open, xrefs: 000002287BC1D6B1, 000002287BC1D6E0

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$ExecuteLeaveShell$Initializememset
String ID: open
API String ID: 3986399138-2758837156
Opcode ID: 6d9d256139eb3bc9c2d95be2e2fb8a3d9a934a4e4607d62c8750735d189a9848
Instruction ID: 10dd9319ff0ff2775c541f14a35eca706332c458e330acafd8abfb58664ecabc
Opcode Fuzzy Hash: 6d9d256139eb3bc9c2d95be2e2fb8a3d9a934a4e4607d62c8750735d189a9848
Instruction Fuzzy Hash: 3441BE76306B4496FB24CFA2E58875AB3A2FBC9B84F148015CB8A43F58DF39D056CB00

Function 000002287BC2A880 Relevance: 13.7, APIs: 9, Instructions: 171COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32 ref: 000002287BC2A8F5
VirtualFree.KERNEL32 ref: 000002287BC2A91F
VirtualFree.KERNEL32 ref: 000002287BC2AA7B
VirtualFree.KERNEL32 ref: 000002287BC2AAA5

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: cbc11050a615b560ec0fb16b81fba0894eab893223cedc50fcc949d023bc43e2
Instruction ID: 2eee8fa5dea3f0ae4e20647aa1f4bc24e0bdae295fd1f4388b2e8032d9d244b1
Opcode Fuzzy Hash: cbc11050a615b560ec0fb16b81fba0894eab893223cedc50fcc949d023bc43e2
Instruction Fuzzy Hash: 0051417A302A0097FB14DFA2D658769A3A2FB89F91F148025DE4647B50DF38D1A78700

Function 000002287BC268A0 Relevance: 13.7, APIs: 9, Instructions: 162stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

NetUserEnum.NETAPI32 ref: 000002287BC2691C
lstrlenW.KERNEL32 ref: 000002287BC2695E
NetApiBufferFree.NETAPI32 ref: 000002287BC269B9
malloc.MSVCRT ref: 000002287BC269D5
VirtualFree.KERNEL32 ref: 000002287BC26A87
VirtualFree.KERNEL32 ref: 000002287BC26AB1
free.MSVCRT ref: 000002287BC26ABA
VirtualFree.KERNEL32 ref: 000002287BC26AE4
VirtualFree.KERNEL32 ref: 000002287BC26B0E

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$AllocFree$EnterRead$Leave$BufferEnumInitializeUserfreelstrlenmalloc
String ID:
API String ID: 1638303497-0
Opcode ID: 422d3ffbe3d8cb5f19993c39f39f44159496065362729c67ad13fe53bb009b02
Instruction ID: d5da05fef6dfbec46ca72252bec508f758dee9520289da512438f667982172fb
Opcode Fuzzy Hash: 422d3ffbe3d8cb5f19993c39f39f44159496065362729c67ad13fe53bb009b02
Instruction Fuzzy Hash: FA617236312B8096EB64DFA2E45875EB7A5FBC9F84F148125DE8A43B54DF38C485C700

Function 000002287BC45020 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 431COMMON

Download Yara Rule

APIs

shutdown.WS2_32 ref: 000002287BC45559

Strings

general child recurse, xrefs: 000002287BC45119
lws_free, xrefs: 000002287BC450DC
free, xrefs: 000002287BC45087, 000002287BC451AF, 000002287BC45241, 000002287BC455D3
closed before established, xrefs: 000002287BC454C9
__lws_close_free_wsi, xrefs: 000002287BC452B4, 000002287BC4542B
Closed before conn, xrefs: 000002287BC4570F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: shutdown
String ID: Closed before conn$__lws_close_free_wsi$closed before established$free$general child recurse$lws_free
API String ID: 2510479042-3708836321
Opcode ID: 3e5a43072d973b0e0104fdfc6ddef0d8611c4a43ad48f66a2907ffa38764c6bc
Instruction ID: a398daac7180b35f18426ff5be1127bce7ec3b7605847c4da8964be1031b0c11
Opcode Fuzzy Hash: 3e5a43072d973b0e0104fdfc6ddef0d8611c4a43ad48f66a2907ffa38764c6bc
Instruction Fuzzy Hash: 0812C36A20278092FB558FA5D4583A9BBA2F781B68F68C136DF494B2D9CF34C647C710

Function 000002287BC4A8C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 56networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 000002287BC4A8ED
socket.WS2_32 ref: 000002287BC4A90B
htonl.WS2_32 ref: 000002287BC4A92A
bind.WS2_32 ref: 000002287BC4A951
getsockname.WS2_32 ref: 000002287BC4A976

Strings

%s: failed, xrefs: 000002287BC4A99C
lws_plat_pipe_create, xrefs: 000002287BC4A990

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: socket$bindgetsocknamehtonl
String ID: %s: failed$lws_plat_pipe_create
API String ID: 858234250-3012564250
Opcode ID: 3f87ba6ed45bd64227a18573b1ccf183bb6461fb3e8dd54df34caa1bfe4df424
Instruction ID: 025bce082e439024e0181b41b62b2a070808d2fbf48d1438317855d132d48719
Opcode Fuzzy Hash: 3f87ba6ed45bd64227a18573b1ccf183bb6461fb3e8dd54df34caa1bfe4df424
Instruction Fuzzy Hash: 0B21A736311A90A2F7408F64E44C78A7365F785B68F685336DA79473E8DF38C942C745

Function 000002287BC326F0 Relevance: 12.2, APIs: 8, Instructions: 180commemoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 000002287BC3270C
CoInitializeSecurity.OLE32 ref: 000002287BC32745
CoCreateInstance.OLE32 ref: 000002287BC3277F
VariantInit.OLEAUT32 ref: 000002287BC32796
SysAllocString.OLEAUT32 ref: 000002287BC3286A
SysFreeString.OLEAUT32 ref: 000002287BC3288A
VirtualFree.KERNEL32 ref: 000002287BC3295D
VirtualFree.KERNEL32 ref: 000002287BC32987

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Free$InitializeStringVirtual$AllocCreateInitInstanceSecurityVariant
String ID:
API String ID: 1458724981-0
Opcode ID: 91e7c9dbfc30646bc0b29806a77a63c0c93c8328fba435cf8b8a6d760b8d23cc
Instruction ID: 40318e503d1ed7b4ee45a72b27d15787e007347320cd6c6e9d50831257e7a9a0
Opcode Fuzzy Hash: 91e7c9dbfc30646bc0b29806a77a63c0c93c8328fba435cf8b8a6d760b8d23cc
Instruction Fuzzy Hash: 9E816A36615B90D6FB10CFA6E84869DB7B6FBC9B98F118116EE4947B18DF38C146CB00

Function 000002287BC35D20 Relevance: 10.7, APIs: 7, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1364B
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1365D
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13670
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13687
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136B6
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC136C8
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136DB
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136F2
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13721
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13733
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13746
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1375D
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1378C
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1379E
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC137B4

EnumChildWindows.USER32 ref: 000002287BC35DDA
VirtualFree.KERNEL32 ref: 000002287BC35E93
VirtualFree.KERNEL32 ref: 000002287BC35EC1
VirtualFree.KERNEL32 ref: 000002287BC35ED7
VirtualFree.KERNEL32 ref: 000002287BC35F01
VirtualFree.KERNEL32 ref: 000002287BC35F17
VirtualFree.KERNEL32 ref: 000002287BC35F41

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSectionVirtual$Alloc$EnterRead$FreeLeave$ChildEnumInitializeWindows
String ID:
API String ID: 1372703463-0
Opcode ID: 890bd80eef171c6753082382bea96ea789f709266cadba96a9c55cb09662d23f
Instruction ID: dcd26d2a9556bd1358892a5d9dabe0252b9e7e23bb69bab0edab0bbe4a04604c
Opcode Fuzzy Hash: 890bd80eef171c6753082382bea96ea789f709266cadba96a9c55cb09662d23f
Instruction Fuzzy Hash: A951823A302B4096EB64DF63E85CA5AB7A6FBC9FD4F5280249E4A43704DF38C049DB04

Function 000002287BC35B60 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

EnumWindows.USER32 ref: 000002287BC35B90

Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1364B
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1365D
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13670
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13687
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136B6
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC136C8
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136DB
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136F2
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13721
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13733
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13746
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1375D
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1378C
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1379E
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC137B4

VirtualFree.KERNEL32 ref: 000002287BC35C51
VirtualFree.KERNEL32 ref: 000002287BC35C7B
VirtualFree.KERNEL32 ref: 000002287BC35C91
VirtualFree.KERNEL32 ref: 000002287BC35CBB
VirtualFree.KERNEL32 ref: 000002287BC35CD1
VirtualFree.KERNEL32 ref: 000002287BC35CFB

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSectionVirtual$Alloc$EnterRead$FreeLeave$EnumInitializeWindows
String ID:
API String ID: 3069422982-0
Opcode ID: 278c29247941e0e49f0459c8c4c899eab9c06726c83261f9871ab7ff216c4423
Instruction ID: 110b9ca2239bcadc197d4ff4b4a9a0dc5ec4866298f9fc97cdee76cc2b3cee68
Opcode Fuzzy Hash: 278c29247941e0e49f0459c8c4c899eab9c06726c83261f9871ab7ff216c4423
Instruction Fuzzy Hash: 5D418236312B0096FB64DFA3E45C61AB7A6FBC9F84B5AC415DE8A43B14DF39D0858B04

Function 000002287BC25850 Relevance: 10.2, APIs: 8, Instructions: 151memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC258A4
VirtualFree.KERNEL32 ref: 000002287BC258CE
VirtualAlloc.KERNEL32 ref: 000002287BC258E5
VirtualFree.KERNEL32 ref: 000002287BC259DC
VirtualFree.KERNEL32 ref: 000002287BC25A06
VirtualFree.KERNEL32 ref: 000002287BC25A2B
VirtualFree.KERNEL32 ref: 000002287BC25A55
VirtualFree.KERNEL32 ref: 000002287BC25A7A

Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14E9D
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EB0
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EC6
Part of subcall function 000002287BC14E80: DeleteCriticalSection.KERNEL32 ref: 000002287BC14EED
Part of subcall function 000002287BC14E80: VirtualFree.KERNEL32 ref: 000002287BC14F1A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: 56575674953e52446c9c6f2cb0a5475926c8fa99b6cd62e2e2a59526b670af81
Instruction ID: 6ac213f9a92dd4e812461325f6661db8a856bac8ce36c48ce5fdb6a2786dd8c0
Opcode Fuzzy Hash: 56575674953e52446c9c6f2cb0a5475926c8fa99b6cd62e2e2a59526b670af81
Instruction Fuzzy Hash: 6D613039702B4096FB64DFA2E49865AB3A6FB89B40F55C125CF8E43B14EF38D196C740

Function 000002287BC24540 Relevance: 10.2, APIs: 8, Instructions: 151memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC24594
VirtualFree.KERNEL32 ref: 000002287BC245BE
VirtualAlloc.KERNEL32 ref: 000002287BC245D5
VirtualFree.KERNEL32 ref: 000002287BC246CC
VirtualFree.KERNEL32 ref: 000002287BC246F6
VirtualFree.KERNEL32 ref: 000002287BC2471B
VirtualFree.KERNEL32 ref: 000002287BC24745
VirtualFree.KERNEL32 ref: 000002287BC2476A

Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14E9D
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EB0
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EC6
Part of subcall function 000002287BC14E80: DeleteCriticalSection.KERNEL32 ref: 000002287BC14EED
Part of subcall function 000002287BC14E80: VirtualFree.KERNEL32 ref: 000002287BC14F1A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: 651bcfa8f5b2f8c56ed35097f6478b68f82154c26c75f677c7bf8dc4e9d2a479
Instruction ID: d54796d5706647385d12d25590b1b7595ff5a5015169d7001c6383989d96f1ab
Opcode Fuzzy Hash: 651bcfa8f5b2f8c56ed35097f6478b68f82154c26c75f677c7bf8dc4e9d2a479
Instruction Fuzzy Hash: B661303A602B4096FB64DFA2E45875AB3A6FB89B80F55C125CF8E43B14EF38D195C740

Function 000002287BC253D0 Relevance: 10.1, APIs: 8, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC25424
VirtualFree.KERNEL32 ref: 000002287BC2544E
VirtualAlloc.KERNEL32 ref: 000002287BC25465
VirtualFree.KERNEL32 ref: 000002287BC25551
VirtualFree.KERNEL32 ref: 000002287BC2557B
VirtualFree.KERNEL32 ref: 000002287BC255A0
VirtualFree.KERNEL32 ref: 000002287BC255CA
VirtualFree.KERNEL32 ref: 000002287BC255EF

Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14E9D
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EB0
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EC6
Part of subcall function 000002287BC14E80: DeleteCriticalSection.KERNEL32 ref: 000002287BC14EED
Part of subcall function 000002287BC14E80: VirtualFree.KERNEL32 ref: 000002287BC14F1A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: e6ec2c9cfd8c1cfc945c6b42395d5e9725ae1b2f66c0eb6d6dbc601a21de48e7
Instruction ID: b7a19ab9b805ba0ee24999789cc0d61af393ae7e02a480cbf382940f26e76fc4
Opcode Fuzzy Hash: e6ec2c9cfd8c1cfc945c6b42395d5e9725ae1b2f66c0eb6d6dbc601a21de48e7
Instruction Fuzzy Hash: 4B614F39202B4096FB64DFA2E55C65AB3A6FB88B40F15C125CB8A43B14EF38D1958740

Function 000002287BC24790 Relevance: 10.1, APIs: 8, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC247E4
VirtualFree.KERNEL32 ref: 000002287BC2480E
VirtualAlloc.KERNEL32 ref: 000002287BC24825
VirtualFree.KERNEL32 ref: 000002287BC248FB
VirtualFree.KERNEL32 ref: 000002287BC24925
VirtualFree.KERNEL32 ref: 000002287BC2494A
VirtualFree.KERNEL32 ref: 000002287BC24974
VirtualFree.KERNEL32 ref: 000002287BC24999

Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14E9D
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EB0
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EC6
Part of subcall function 000002287BC14E80: DeleteCriticalSection.KERNEL32 ref: 000002287BC14EED
Part of subcall function 000002287BC14E80: VirtualFree.KERNEL32 ref: 000002287BC14F1A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: fd80817d139fa4e2b64631e6e26df79415a8341bdc569966b9b01ccc11376cda
Instruction ID: 7f9f3dac2ad22bb0f571bf03f1e76b3d166015310430a62b0cba4c9dfd1088c5
Opcode Fuzzy Hash: fd80817d139fa4e2b64631e6e26df79415a8341bdc569966b9b01ccc11376cda
Instruction Fuzzy Hash: 9F515F3A302B4096FB64DFA2E45865AB3A6FB89B80F15C125DF8A43B14DF38D195C700

Function 000002287BC24E20 Relevance: 10.1, APIs: 8, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC24E74
VirtualFree.KERNEL32 ref: 000002287BC24E9E
VirtualAlloc.KERNEL32 ref: 000002287BC24EB5
VirtualFree.KERNEL32 ref: 000002287BC24F8B
VirtualFree.KERNEL32 ref: 000002287BC24FB5
VirtualFree.KERNEL32 ref: 000002287BC24FDA
VirtualFree.KERNEL32 ref: 000002287BC25004
VirtualFree.KERNEL32 ref: 000002287BC25029

Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14E9D
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EB0
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EC6
Part of subcall function 000002287BC14E80: DeleteCriticalSection.KERNEL32 ref: 000002287BC14EED
Part of subcall function 000002287BC14E80: VirtualFree.KERNEL32 ref: 000002287BC14F1A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: 57bd48782e32a08d7b1b1d9009b8d3aa3fc8873e5788f85967af6eb319595940
Instruction ID: f794c535e14eba163fedc5fb54db7e3caf2737a6964f6a954065d74cf6d29034
Opcode Fuzzy Hash: 57bd48782e32a08d7b1b1d9009b8d3aa3fc8873e5788f85967af6eb319595940
Instruction Fuzzy Hash: 05515039302B4096FB64CFA2E45875AB3A6FBC8B80F15C125DF8A43B14DF38D1968740

Function 000002287BC25620 Relevance: 10.1, APIs: 8, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC25674
VirtualFree.KERNEL32 ref: 000002287BC2569E
VirtualAlloc.KERNEL32 ref: 000002287BC256B5
VirtualFree.KERNEL32 ref: 000002287BC2578B
VirtualFree.KERNEL32 ref: 000002287BC257B5
VirtualFree.KERNEL32 ref: 000002287BC257DA
VirtualFree.KERNEL32 ref: 000002287BC25804
VirtualFree.KERNEL32 ref: 000002287BC25829

Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14E9D
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EB0
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EC6
Part of subcall function 000002287BC14E80: DeleteCriticalSection.KERNEL32 ref: 000002287BC14EED
Part of subcall function 000002287BC14E80: VirtualFree.KERNEL32 ref: 000002287BC14F1A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: 2f075d1a1437c4c3a206eadfd76b465537f6e84eaaf7f606776d60a5c38b7f6b
Instruction ID: 356cbaa2c9dca73f2a55d010fe4237352ed5c557757da53bceae6be7e4a236fa
Opcode Fuzzy Hash: 2f075d1a1437c4c3a206eadfd76b465537f6e84eaaf7f606776d60a5c38b7f6b
Instruction Fuzzy Hash: 9851513A712B4096FB64CFA2E45865AB3A6FBC9B80F15C125DF8A43B14EF38D1958740

Function 000002287BC24BF0 Relevance: 10.1, APIs: 8, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC24C44

Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14E9D
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EB0
Part of subcall function 000002287BC14E80: CloseHandle.KERNEL32 ref: 000002287BC14EC6
Part of subcall function 000002287BC14E80: DeleteCriticalSection.KERNEL32 ref: 000002287BC14EED
Part of subcall function 000002287BC14E80: VirtualFree.KERNEL32 ref: 000002287BC14F1A

VirtualFree.KERNEL32 ref: 000002287BC24C6E
VirtualAlloc.KERNEL32 ref: 000002287BC24C85
VirtualFree.KERNEL32 ref: 000002287BC24D50
VirtualFree.KERNEL32 ref: 000002287BC24D7A
VirtualFree.KERNEL32 ref: 000002287BC24D9F
VirtualFree.KERNEL32 ref: 000002287BC24DC9
VirtualFree.KERNEL32 ref: 000002287BC24DEE

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: 0ac0060dcfd5a306c7b66bef3dfc52a33a24784a9d8ada1fc2c7a0065a5b076b
Instruction ID: 44fa1bfea67dda4aba46f8f1775b61035390f2f4b03e4999ccf311ba37b37d32
Opcode Fuzzy Hash: 0ac0060dcfd5a306c7b66bef3dfc52a33a24784a9d8ada1fc2c7a0065a5b076b
Instruction Fuzzy Hash: 7751603A702B4096FB64DFA2E49875AB3A6FBC8B80F15C125DF8A43B14DF38D5958740

Function 000002287BC25D20 Relevance: 10.1, APIs: 8, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC25D74
VirtualFree.KERNEL32 ref: 000002287BC25D9E
VirtualAlloc.KERNEL32 ref: 000002287BC25DB5
VirtualFree.KERNEL32 ref: 000002287BC25E75
VirtualFree.KERNEL32 ref: 000002287BC25E9F
VirtualFree.KERNEL32 ref: 000002287BC25EC4
VirtualFree.KERNEL32 ref: 000002287BC25EEE
VirtualFree.KERNEL32 ref: 000002287BC25F13

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$AllocCriticalSection$EnterRead$Leave$Initialize
String ID:
API String ID: 529218107-0
Opcode ID: 32769cce58e56143a75351117c5e5ffe1a32f8741d2f6b57a7632bb4ab8db333
Instruction ID: 6bfb081b7d46aca41e774427f11c3719fe9afaaac511ea72674a55a36484a51b
Opcode Fuzzy Hash: 32769cce58e56143a75351117c5e5ffe1a32f8741d2f6b57a7632bb4ab8db333
Instruction Fuzzy Hash: 83515D3A702B4096FB64DFA2E45875AB3A6FBC9B80F15C1259F8A43B14DF38D4928740

Function 000002287BC36848 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 410COMMON

Download Yara Rule

Strings

unknown compression method, xrefs: 000002287BC367C9
header crc mismatch, xrefs: 000002287BC36CE0
unknown header flags set, xrefs: 000002287BC3688F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID:
String ID: header crc mismatch$unknown compression method$unknown header flags set
API String ID: 0-1578397619
Opcode ID: 9b4078bed5bfcd5864b8ebac496d82fc1045e3aef2f02ea94c7145d1e548f647
Instruction ID: 857cf66a74720e488a81dcbdd25969f9bc1a5866f4b043db53cb57650c37f298
Opcode Fuzzy Hash: 9b4078bed5bfcd5864b8ebac496d82fc1045e3aef2f02ea94c7145d1e548f647
Instruction Fuzzy Hash: 3902C12A606350ABF7288FA5C14836CBBB2F384748F668528CF5D93B90DB34D566E741

Function 000002287BC1DF30 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 000002287BC1DF7C
memset.NTDLL ref: 000002287BC1DFC3
FindFirstFileW.KERNEL32 ref: 000002287BC1DFD4
free.MSVCRT ref: 000002287BC1DFF6

Part of subcall function 000002287BC1DDB0: VirtualFree.KERNEL32 ref: 000002287BC1DE4A
Part of subcall function 000002287BC1DDB0: VirtualFree.KERNEL32 ref: 000002287BC1DE74
Part of subcall function 000002287BC1DDB0: CreateThread.KERNEL32 ref: 000002287BC1DEA0
Part of subcall function 000002287BC1DDB0: IsBadReadPtr.KERNEL32 ref: 000002287BC1DEC4
Part of subcall function 000002287BC1DDB0: EnterCriticalSection.KERNEL32 ref: 000002287BC1DED7
Part of subcall function 000002287BC1DDB0: VirtualAlloc.KERNEL32 ref: 000002287BC1DEEE
Part of subcall function 000002287BC1DDB0: LeaveCriticalSection.KERNEL32 ref: 000002287BC1DF12

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalFreeSection$AllocCreateEnterFileFindFirstLeaveReadThreadfreemallocmemset
String ID:
API String ID: 4255097067-0
Opcode ID: f9bbf5e71686089cafa3498ccc1526af5447c4864708586d0a513123ba2cc5d2
Instruction ID: 4a220c8e95f0c33a6242753f2f35c92fb25538ced58347f8db91631f52f824fd
Opcode Fuzzy Hash: f9bbf5e71686089cafa3498ccc1526af5447c4864708586d0a513123ba2cc5d2
Instruction Fuzzy Hash: 5C21A47630168492EB609F21E44C79DA3A6F789FC4F658131DE9E47748DF39C64AC740

Function 000002287BC13490 Relevance: 64.1, APIs: 51, Instructions: 358memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
IsBadReadPtr.KERNEL32 ref: 000002287BC13587
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1364B
IsBadReadPtr.KERNEL32 ref: 000002287BC1365D
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13670
VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13687
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136B6
IsBadReadPtr.KERNEL32 ref: 000002287BC136C8
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136DB
VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136F2
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13721
IsBadReadPtr.KERNEL32 ref: 000002287BC13733
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13746
VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1375D
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1378C
IsBadReadPtr.KERNEL32 ref: 000002287BC1379E
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC137B4
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC137D8
IsBadReadPtr.KERNEL32 ref: 000002287BC137F1
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13807
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1382B
IsBadReadPtr.KERNEL32 ref: 000002287BC13844
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1385A
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13886
IsBadReadPtr.KERNEL32 ref: 000002287BC1389F
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC138B5
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC138D9
IsBadReadPtr.KERNEL32 ref: 000002287BC138F2
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13908
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1392C
IsBadReadPtr.KERNEL32 ref: 000002287BC13945
EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1395B
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13986
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC139AB
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC139BD
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC139CF
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC139E1
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC139F3
LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13A05

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$Leave$EnterRead$AllocVirtual$Initialize
String ID:
API String ID: 3051317124-0
Opcode ID: 8568f08c7c9be0e6d073f13ea549ebd13c7c208c02a23d5334f29e22a4de9aef
Instruction ID: 761779a3454982858d5f4ae185320ff6cb2dceaa3ec965ed5245de70699bcacb
Opcode Fuzzy Hash: 8568f08c7c9be0e6d073f13ea549ebd13c7c208c02a23d5334f29e22a4de9aef
Instruction Fuzzy Hash: 25F14A79202B44A2FF558F62E958769A3A6F7D5F89F6CC026CE4A133A4DF38C546C310

Function 000002287BC19620 Relevance: 50.9, APIs: 28, Strings: 1, Instructions: 182memoryprocessstringCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC19686
GetProcessHeap.KERNEL32 ref: 000002287BC19695
HeapAlloc.KERNEL32 ref: 000002287BC196A9
CloseHandle.KERNEL32 ref: 000002287BC196BE
WTSGetActiveConsoleSessionId.KERNEL32 ref: 000002287BC196CD
WaitForSingleObject.KERNEL32 ref: 000002287BC1970B
CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC19728
GetProcessHeap.KERNEL32 ref: 000002287BC19737
HeapAlloc.KERNEL32 ref: 000002287BC1974B
CloseHandle.KERNEL32 ref: 000002287BC19760
WTSGetActiveConsoleSessionId.KERNEL32 ref: 000002287BC1976F
WaitForSingleObject.KERNEL32 ref: 000002287BC197AD
VirtualFree.KERNEL32 ref: 000002287BC197ED
VirtualFree.KERNEL32 ref: 000002287BC19817
Process32FirstW.KERNEL32 ref: 000002287BC19831
lstrcmpiW.KERNEL32 ref: 000002287BC1984B
Process32NextW.KERNEL32 ref: 000002287BC1985B
GetProcessHeap.KERNEL32 ref: 000002287BC1986A
HeapFree.KERNEL32 ref: 000002287BC19878
CloseHandle.KERNEL32 ref: 000002287BC19881
ProcessIdToSessionId.KERNEL32 ref: 000002287BC19899
Process32FirstW.KERNEL32 ref: 000002287BC198AD
lstrcmpiW.KERNEL32 ref: 000002287BC198CB
Process32NextW.KERNEL32 ref: 000002287BC198DB
GetProcessHeap.KERNEL32 ref: 000002287BC198EA
HeapFree.KERNEL32 ref: 000002287BC198F8
CloseHandle.KERNEL32 ref: 000002287BC19901
ProcessIdToSessionId.KERNEL32 ref: 000002287BC19919

Strings

explorer.exe, xrefs: 000002287BC19844, 000002287BC198C4

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Heap$AllocVirtual$CriticalProcessSection$CloseFreeHandleProcess32Session$EnterRead$ActiveConsoleCreateFirstLeaveNextObjectSingleSnapshotToolhelp32Waitlstrcmpi$Initialize
String ID: explorer.exe
API String ID: 2751948232-3187896405
Opcode ID: d2a91ab24c2bf9db6eb1a729d818684c837b503c5b22bd8eeedfdeba2b21ab3c
Instruction ID: 073e23dd6a059e070496afe316be3b9b55320d30e6cbb4e7aa386b4bf122a3ff
Opcode Fuzzy Hash: d2a91ab24c2bf9db6eb1a729d818684c837b503c5b22bd8eeedfdeba2b21ab3c
Instruction Fuzzy Hash: 7A819D69202A44D2FB509FA2E91CB19B3A3FBCAF94F64C225C91A57794EF38C447C710

Function 000002287BC17D50 Relevance: 37.7, APIs: 25, Instructions: 177sleepsynchronizationpipeCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 000002287BC17D72
IsBadReadPtr.KERNEL32 ref: 000002287BC17D87
EnterCriticalSection.KERNEL32 ref: 000002287BC17D9F
LeaveCriticalSection.KERNEL32 ref: 000002287BC17DC2
IsBadReadPtr.KERNEL32 ref: 000002287BC17DE0
EnterCriticalSection.KERNEL32 ref: 000002287BC17DF3
LeaveCriticalSection.KERNEL32 ref: 000002287BC17E20
VirtualFree.KERNEL32 ref: 000002287BC17E45
LeaveCriticalSection.KERNEL32 ref: 000002287BC17E4F
IsBadReadPtr.KERNEL32 ref: 000002287BC17E6E
EnterCriticalSection.KERNEL32 ref: 000002287BC17E84
LeaveCriticalSection.KERNEL32 ref: 000002287BC17EA5
IsBadReadPtr.KERNEL32 ref: 000002287BC17EBA
EnterCriticalSection.KERNEL32 ref: 000002287BC17ED5
LeaveCriticalSection.KERNEL32 ref: 000002287BC17F09
DisconnectNamedPipe.KERNEL32 ref: 000002287BC17F21
CloseHandle.KERNEL32 ref: 000002287BC17F30
DeleteCriticalSection.KERNEL32 ref: 000002287BC17F3E
VirtualFree.KERNEL32 ref: 000002287BC17F4F
VirtualFree.KERNEL32 ref: 000002287BC17F74
LeaveCriticalSection.KERNEL32 ref: 000002287BC17F7E
CloseHandle.KERNEL32 ref: 000002287BC17F9B
SetEvent.KERNEL32 ref: 000002287BC17FB6
Sleep.KERNEL32 ref: 000002287BC17FC1
ResetEvent.KERNEL32 ref: 000002287BC17FD2

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$Leave$EnterRead$FreeVirtual$CloseEventHandle$DeleteDisconnectNamedObjectPipeResetSingleSleepWait
String ID:
API String ID: 2612321180-0
Opcode ID: 3aeab687b8a4c2846d007608538cd5cdf3d6eb69ec080773636f944a7d441a24
Instruction ID: e10fcbf9707fcdabf5e869c8d4843a2aea215949600dbd3ef171ea1279912061
Opcode Fuzzy Hash: 3aeab687b8a4c2846d007608538cd5cdf3d6eb69ec080773636f944a7d441a24
Instruction Fuzzy Hash: 2A812DA9203A04E2FF549FA2D55D729A3A2EBC5F89F68C426DE0A57754DF38CC478301

Function 000002287BC14E80 Relevance: 31.7, APIs: 21, Instructions: 168COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 000002287BC14E9D
CloseHandle.KERNEL32 ref: 000002287BC14EB0
CloseHandle.KERNEL32 ref: 000002287BC14EC6
DeleteCriticalSection.KERNEL32 ref: 000002287BC14EED
VirtualFree.KERNEL32 ref: 000002287BC14F1A
SetEvent.KERNEL32 ref: 000002287BC14F4D
CloseHandle.KERNEL32 ref: 000002287BC14F5C
DeleteCriticalSection.KERNEL32 ref: 000002287BC14F81
VirtualFree.KERNEL32 ref: 000002287BC14F92
CloseHandle.KERNEL32 ref: 000002287BC14FC1
CloseHandle.KERNEL32 ref: 000002287BC14FD4
DeleteCriticalSection.KERNEL32 ref: 000002287BC14FE7
VirtualFree.KERNEL32 ref: 000002287BC14FF8
SetEvent.KERNEL32 ref: 000002287BC15043
CloseHandle.KERNEL32 ref: 000002287BC15052
CloseHandle.KERNEL32 ref: 000002287BC15065
CloseHandle.KERNEL32 ref: 000002287BC15078
VirtualFree.KERNEL32 ref: 000002287BC150A5
VirtualFree.KERNEL32 ref: 000002287BC150CF
DeleteCriticalSection.KERNEL32 ref: 000002287BC150E0
VirtualFree.KERNEL32 ref: 000002287BC150F1

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CloseHandle$FreeVirtual$CriticalDeleteSection$Event
String ID:
API String ID: 10935847-0
Opcode ID: 422750834f799e2f9d60e292def9ea666cc0ce8b4960a53ab5d89ffac0fa2ea1
Instruction ID: f35ca4fd710288289c5bb3636111d12257ffc7b4e3382612f234af6a15323a14
Opcode Fuzzy Hash: 422750834f799e2f9d60e292def9ea666cc0ce8b4960a53ab5d89ffac0fa2ea1
Instruction Fuzzy Hash: 77815A29303A40A6FF68DFE2E558729B3A6FBC5F44F288016CB4B97A54DF38D4528750

Function 000002287BC32E70 Relevance: 30.1, APIs: 20, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC32E87
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC32EB6
InitializeCriticalSection.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC32EC8
CreateEventW.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC32EEC
IsBadReadPtr.KERNEL32 ref: 000002287BC32F02
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC32F15
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC32F2C
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC32F5B
IsBadReadPtr.KERNEL32 ref: 000002287BC32F6D
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC32F80
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC32F97
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC32FC6
IsBadReadPtr.KERNEL32 ref: 000002287BC32FD8
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC32FEB
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC33002
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC33031
IsBadReadPtr.KERNEL32 ref: 000002287BC33043
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC33056
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC3306D
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC14A50), ref: 000002287BC3309C

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$AllocVirtual$EnterLeaveRead$CreateEventInitialize
String ID:
API String ID: 3948381741-0
Opcode ID: e594c7875a29b7cb1e4df31b8ef2daef451c29f3e1b1efe58ba1ebc236cfbe66
Instruction ID: 77086b6f0621f32bdbabf19c33c033df47c868657fb136151fe88ca325e6b9a1
Opcode Fuzzy Hash: e594c7875a29b7cb1e4df31b8ef2daef451c29f3e1b1efe58ba1ebc236cfbe66
Instruction Fuzzy Hash: C8617139302B40E2FB058F61EA58769B3A6F788B85FA4C026CA5E43794DF38C566D341

Function 000002287BC200A0 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 141processCOMMON

Download Yara Rule

APIs

WTSQueryUserToken.WTSAPI32 ref: 000002287BC20126
GetLastError.KERNEL32 ref: 000002287BC20130
DuplicateTokenEx.ADVAPI32 ref: 000002287BC20160
ConvertStringSidToSidW.ADVAPI32 ref: 000002287BC20175
GetLengthSid.ADVAPI32 ref: 000002287BC2018E
SetTokenInformation.ADVAPI32 ref: 000002287BC201A6
CreateEnvironmentBlock.USERENV ref: 000002287BC201B9
CreateProcessAsUserW.ADVAPI32 ref: 000002287BC20201
CreateProcessAsUserW.ADVAPI32 ref: 000002287BC2024C
GetLastError.KERNEL32 ref: 000002287BC20256
CloseHandle.KERNEL32 ref: 000002287BC20268
CloseHandle.KERNEL32 ref: 000002287BC2027C

Strings

S-1-16-12288, xrefs: 000002287BC2016E

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CreateTokenUser$CloseErrorHandleLastProcess$BlockConvertDuplicateEnvironmentInformationLengthQueryString
String ID: S-1-16-12288
API String ID: 1141289200-1849704789
Opcode ID: ce80a4befca0d1060b8adb584f239cb62f45bb76b0cab765389f0d9962420255
Instruction ID: 5ea4321d1d1782b2d62d92317c390ce2319278dbe7ce05e60cbd9b9b7aba2fb1
Opcode Fuzzy Hash: ce80a4befca0d1060b8adb584f239cb62f45bb76b0cab765389f0d9962420255
Instruction Fuzzy Hash: 96612E36605B41D6F7508FA5E84869EB7B5F7C9788F208216EE8953F28DF38C196CB40

Function 000002287BC1C120 Relevance: 28.0, APIs: 12, Strings: 4, Instructions: 50COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32 ref: 000002287BC1C12F
ClearEventLogW.ADVAPI32 ref: 000002287BC1C142
CloseEventLog.ADVAPI32 ref: 000002287BC1C14B
OpenEventLogW.ADVAPI32 ref: 000002287BC1C15A
ClearEventLogW.ADVAPI32 ref: 000002287BC1C16D
CloseEventLog.ADVAPI32 ref: 000002287BC1C176
OpenEventLogW.ADVAPI32 ref: 000002287BC1C185
ClearEventLogW.ADVAPI32 ref: 000002287BC1C198
CloseEventLog.ADVAPI32 ref: 000002287BC1C1A1
OpenEventLogW.ADVAPI32 ref: 000002287BC1C1B0
ClearEventLogW.ADVAPI32 ref: 000002287BC1C1C3
CloseEventLog.ADVAPI32 ref: 000002287BC1C1CC

Strings

Security, xrefs: 000002287BC1C151
System, xrefs: 000002287BC1C17C
Application, xrefs: 000002287BC1C126
Setup, xrefs: 000002287BC1C1A7

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$Setup$System
API String ID: 1391105993-476969907
Opcode ID: a72789b1ddaec7462d6fe802ac6aa3214d1ce91aa2e65104e699e4c2ce61343b
Instruction ID: 83c09a294a1dd322ebfd5cec865f7aa39dea02c9888ceed60cc3cdc8b16bbdab
Opcode Fuzzy Hash: a72789b1ddaec7462d6fe802ac6aa3214d1ce91aa2e65104e699e4c2ce61343b
Instruction Fuzzy Hash: 36119158B43B05E1FE199FB6791C6559693AFCEB55F689929880B4B350EE3CC04B8200

Function 000002287BC3D460 Relevance: 27.5, APIs: 1, Strings: 17, Instructions: 460COMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC4AA20: WSAStartup.WS2_32 ref: 000002287BC4AA31

memset.NTDLL ref: 000002287BC3D874

Strings

prot_init, xrefs: 000002287BC3DA90
fds table, xrefs: 000002287BC3D8F3
NSC, xrefs: 000002287BC3DB51
system, xrefs: 000002287BC3DA74
OOM, xrefs: 000002287BC3DCB0
wsisrv, xrefs: 000002287BC3D606
wsicli, xrefs: 000002287BC3D622
Failed to create default vhost, xrefs: 000002287BC3DAEF
wsi, xrefs: 000002287BC3D5EA
Failed to init cookiejar, xrefs: 000002287BC3DBF9
lws_free, xrefs: 000002287BC3DC9D
context, xrefs: 000002287BC3D4FF
mux, xrefs: 000002287BC3D614
info->ka_interval can't be 0 if ka_time used, xrefs: 000002287BC3D8C1
unknown, xrefs: 000002287BC3DA62
OOM allocating %d fds, xrefs: 000002287BC3DC6D
lws_create_context, xrefs: 000002287BC3D8D4, 000002287BC3DB0C, 000002287BC3DC79

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Startupmemset
String ID: Failed to create default vhost$Failed to init cookiejar$NSC$OOM$OOM allocating %d fds$context$fds table$info->ka_interval can't be 0 if ka_time used$lws_create_context$lws_free$mux$prot_init$system$unknown$wsi$wsicli$wsisrv
API String ID: 1873301828-3289243303
Opcode ID: bf09bbd172752d6f71b80a47266d3d97ca0590e138c6ba5f89c48119b4ff15b5
Instruction ID: 256c4e7df1644aa368b3629286aec01e99c4cb8a8d999b8821866519bfd3d7f3
Opcode Fuzzy Hash: bf09bbd172752d6f71b80a47266d3d97ca0590e138c6ba5f89c48119b4ff15b5
Instruction Fuzzy Hash: FB32903A202B8095FB54CF65E44439AB3E6F784B88F688136DE9D4B398EF38D152D750

Function 000002287BC2D630 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 124memorycomCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 000002287BC2D6BF
CoCreateInstance.OLE32 ref: 000002287BC2D6E4
CoCreateInstance.OLE32 ref: 000002287BC2D71A
CoUninitialize.OLE32 ref: 000002287BC2D738
SysAllocString.OLEAUT32 ref: 000002287BC2D760
SysAllocString.OLEAUT32 ref: 000002287BC2D770
SysAllocString.OLEAUT32 ref: 000002287BC2D780
SysFreeString.OLEAUT32 ref: 000002287BC2D7FA
SysFreeString.OLEAUT32 ref: 000002287BC2D803
SysFreeString.OLEAUT32 ref: 000002287BC2D80C
CoUninitialize.OLE32 ref: 000002287BC2D830

Strings

Block all outbound traffic, xrefs: 000002287BC2D766
i33L, xrefs: 000002287BC2D647
Block All Outbound, xrefs: 000002287BC2D74F
BlockAllGroup, xrefs: 000002287BC2D776

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: String$AllocFree$CreateInstanceUninitialize$Initialize
String ID: Block All Outbound$Block all outbound traffic$BlockAllGroup$i33L
API String ID: 2562062002-1644180588
Opcode ID: 6afe0bc108ac2b0036ccd9803eb516903b393beede4406b580188529bc8acd80
Instruction ID: 4c92cedf6ac0493291cb700caeb8c6d961c2be267c8e88b294326da705a6947f
Opcode Fuzzy Hash: 6afe0bc108ac2b0036ccd9803eb516903b393beede4406b580188529bc8acd80
Instruction Fuzzy Hash: 5F51F57A601B44DAEB00CFB5D88829C77B1F788B88F248526DE5A57B28CF38C55AC751

Function 000002287BC1ADC0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 119clipboardstringwindowCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000002287BC1AE39
GetClipboardData.USER32 ref: 000002287BC1AE51
GlobalLock.KERNEL32 ref: 000002287BC1AE6B
lstrlenW.KERNEL32 ref: 000002287BC1AE89
lstrlenW.KERNEL32 ref: 000002287BC1AEAB
lstrlenW.KERNEL32 ref: 000002287BC1AEC7
GlobalUnlock.KERNEL32 ref: 000002287BC1AEDD
CloseClipboard.USER32 ref: 000002287BC1AEE3
VirtualFree.KERNEL32 ref: 000002287BC1AF14
VirtualFree.KERNEL32 ref: 000002287BC1AF3E
CloseClipboard.USER32 ref: 000002287BC1AF4E
SendMessageW.USER32 ref: 000002287BC1AF70
PostQuitMessage.USER32 ref: 000002287BC1AF85

Strings

[Clipboard content:], xrefs: 000002287BC1AE7D, 000002287BC1AE8F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Clipboard$lstrlen$CloseFreeGlobalMessageVirtual$DataLockOpenPostQuitSendUnlock
String ID: [Clipboard content:]
API String ID: 310769633-2989445775
Opcode ID: 7bca020af3b00c7c1722b78769ec56b2c5507b293bd382309b66642c886802aa
Instruction ID: 55393bbc25382fb6ca442986bcafd6b573e5ee99bdcaa7c3427d85284c188efd
Opcode Fuzzy Hash: 7bca020af3b00c7c1722b78769ec56b2c5507b293bd382309b66642c886802aa
Instruction Fuzzy Hash: B4419468303A00E6FB549FE6E45C769A3A2EFC9F94F28C021E95A57764DE3CC4878700

Function 000002287BC18D80 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 93stringfileCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 000002287BC18D98
EnterCriticalSection.KERNEL32 ref: 000002287BC18DBB
EnterCriticalSection.KERNEL32 ref: 000002287BC18DE3
LeaveCriticalSection.KERNEL32 ref: 000002287BC18E12
IsBadReadPtr.KERNEL32 ref: 000002287BC18E24
EnterCriticalSection.KERNEL32 ref: 000002287BC18E32
VirtualFree.KERNEL32 ref: 000002287BC18E72
LeaveCriticalSection.KERNEL32 ref: 000002287BC18E7C
LeaveCriticalSection.KERNEL32 ref: 000002287BC18E9B
memset.NTDLL ref: 000002287BC18EB6
lstrcatW.KERNEL32 ref: 000002287BC18EC7
lstrcatW.KERNEL32 ref: 000002287BC18ED9
DeleteFileW.KERNEL32 ref: 000002287BC18EE4

Strings

\cp.cfg, xrefs: 000002287BC18ECD
C:\Program Files\Windows Mail, xrefs: 000002287BC18EBB

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Readlstrcat$DeleteFileFreeVirtualmemset
String ID: C:\Program Files\Windows Mail$\cp.cfg
API String ID: 560399275-3904790782
Opcode ID: 32691194d63fb457e0283d7f5badc06286c47923e99f3822c2282396363ee7a0
Instruction ID: 6f921264059a4f6f8bdc5f603b6b3e73255be57e991a43c5107470ec4f38c153
Opcode Fuzzy Hash: 32691194d63fb457e0283d7f5badc06286c47923e99f3822c2282396363ee7a0
Instruction Fuzzy Hash: 5641706D307A09A2FE64CF91D69C369A362FBD5B48F688426C61E536A0EF38C557C301

Function 000002287BC23760 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000002287BC23784
ProcessIdToSessionId.KERNEL32 ref: 000002287BC23794
memset.NTDLL ref: 000002287BC237A7
wsprintfW.USER32 ref: 000002287BC237C4
GetCurrentProcess.KERNEL32 ref: 000002287BC237D8
TerminateProcess.KERNEL32 ref: 000002287BC237E3
memset.NTDLL ref: 000002287BC237F9
wsprintfW.USER32 ref: 000002287BC23819
GetCurrentProcess.KERNEL32 ref: 000002287BC23838
TerminateProcess.KERNEL32 ref: 000002287BC23843
WaitForSingleObject.KERNEL32 ref: 000002287BC2385A
GetCurrentProcess.KERNEL32 ref: 000002287BC23864
TerminateProcess.KERNEL32 ref: 000002287BC2386F

Strings

\\.\Pipe\%d_pipe%d, xrefs: 000002287BC237B4
\\.\Pipe\%d_Local_%d, xrefs: 000002287BC23806

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process$Current$Terminate$memsetwsprintf$ObjectSessionSingleWait
String ID: \\.\Pipe\%d_Local_%d$\\.\Pipe\%d_pipe%d
API String ID: 1631145905-82101934
Opcode ID: bb6b434c0f2bba9a4d35353d0a33bbc8e9c93f951d0964acc5e522c3c3c5e198
Instruction ID: a086cd3c30d44ffe7b54222ddc4d200a8584650cfe3737b124db01526d2e750e
Opcode Fuzzy Hash: bb6b434c0f2bba9a4d35353d0a33bbc8e9c93f951d0964acc5e522c3c3c5e198
Instruction Fuzzy Hash: 3C314669305641E2FB209FA1E95C75AA373FBC5F89F14C016C94A47658DE3CC547CB21

Function 000002287BC217F0 Relevance: 25.7, APIs: 17, Instructions: 151networkmemorysleepCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 000002287BC21810
setsockopt.WS2_32 ref: 000002287BC2186C
setsockopt.WS2_32 ref: 000002287BC21890
setsockopt.WS2_32 ref: 000002287BC218BB
WSAIoctl.WS2_32 ref: 000002287BC21911
setsockopt.WS2_32 ref: 000002287BC21940

Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC1458D
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC145BF
Part of subcall function 000002287BC14570: InitializeCriticalSection.KERNEL32 ref: 000002287BC145D4
Part of subcall function 000002287BC14570: IsBadReadPtr.KERNEL32 ref: 000002287BC145F0
Part of subcall function 000002287BC14570: EnterCriticalSection.KERNEL32 ref: 000002287BC14603
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC1461A
Part of subcall function 000002287BC14570: LeaveCriticalSection.KERNEL32 ref: 000002287BC14649
Part of subcall function 000002287BC14570: IsBadReadPtr.KERNEL32 ref: 000002287BC1465E
Part of subcall function 000002287BC14570: EnterCriticalSection.KERNEL32 ref: 000002287BC14671
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC14688
Part of subcall function 000002287BC14570: LeaveCriticalSection.KERNEL32 ref: 000002287BC146B7
Part of subcall function 000002287BC14570: IsBadReadPtr.KERNEL32 ref: 000002287BC146CC
Part of subcall function 000002287BC14570: EnterCriticalSection.KERNEL32 ref: 000002287BC146DF
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC146F6

VirtualAlloc.KERNEL32 ref: 000002287BC21965
CreateThread.KERNEL32 ref: 000002287BC219B7
IsBadReadPtr.KERNEL32 ref: 000002287BC219CF
EnterCriticalSection.KERNEL32 ref: 000002287BC219E2
VirtualAlloc.KERNEL32 ref: 000002287BC219F8
LeaveCriticalSection.KERNEL32 ref: 000002287BC21A1C
CancelIo.KERNEL32 ref: 000002287BC21A2F
closesocket.WS2_32 ref: 000002287BC21A38
VirtualFree.KERNEL32 ref: 000002287BC21A49
Sleep.KERNEL32 ref: 000002287BC21A52
accept.WS2_32 ref: 000002287BC21A61

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSectionVirtual$Alloc$EnterReadsetsockopt$Leave$accept$CancelCreateFreeInitializeIoctlSleepThreadclosesocket
String ID:
API String ID: 241427152-0
Opcode ID: 1c404d5d73e305d8b8ee6673e65e5fb414e44ef9e98f2e73c2721ef1af194596
Instruction ID: 9ffa302cb5f1af5fab4715c46a17bd075f08bdee4d11e4b2f0fa8af8ae267284
Opcode Fuzzy Hash: 1c404d5d73e305d8b8ee6673e65e5fb414e44ef9e98f2e73c2721ef1af194596
Instruction Fuzzy Hash: 03616376206B81D6F7248F51E808B9AB7A6F7C9B88F548125DF8A07B54DF3CC55ACB00

Function 000002287BC34E30 Relevance: 25.6, APIs: 17, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34E47
InitializeCriticalSection.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34E7F
CreateEventW.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34E91
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34EAC
InitializeCriticalSection.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34EBE
IsBadReadPtr.KERNEL32 ref: 000002287BC34ED9
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34EEC
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34F03
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34F32
IsBadReadPtr.KERNEL32 ref: 000002287BC34F44
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34F57
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34F6E
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34F9D
IsBadReadPtr.KERNEL32 ref: 000002287BC34FAF
EnterCriticalSection.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34FC2
VirtualAlloc.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC34FD9
LeaveCriticalSection.KERNEL32(?,?,00000000,000002287BC351C0,?,?,00000000,000002287BC14C0C), ref: 000002287BC35008

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$AllocVirtual$EnterLeaveRead$Initialize$CreateEvent
String ID:
API String ID: 3934889794-0
Opcode ID: f72b57c28baa5693b97416f12eef773b3eaba470e72f45982b1511237ecf147c
Instruction ID: acb91769672ca6eca8135b52aafbbc53719c2ce39733c5174acc322fda7e56ff
Opcode Fuzzy Hash: f72b57c28baa5693b97416f12eef773b3eaba470e72f45982b1511237ecf147c
Instruction Fuzzy Hash: 3C51A139312B40E2FB058F61EA48769B3A2F7D9B85FA48126CB4D43794DF38C5A6C340

Function 000002287BC30FB0 Relevance: 25.6, APIs: 17, Instructions: 104pipethreadCOMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC30FC6
TerminateThread.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC30FD7
TerminateProcess.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC30FE3
TerminateThread.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC30FEF
VirtualFree.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC31010
VirtualFree.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC3103A
DisconnectNamedPipe.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC3104C
DisconnectNamedPipe.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC3105B
DisconnectNamedPipe.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC3106A
DisconnectNamedPipe.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC31079
CloseHandle.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC31087
CloseHandle.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC31099
CloseHandle.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC310AC
CloseHandle.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC310BF
CloseHandle.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC310D2
CloseHandle.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC310E5
CloseHandle.KERNEL32(?,?,?,000002287BC24515), ref: 000002287BC310F8

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CloseHandle$DisconnectNamedPipe$Terminate$FreeThreadVirtual$CriticalDeleteProcessSection
String ID:
API String ID: 2021643575-0
Opcode ID: 22f65dbadcf723d4ef9dbca8ef5aeeda7a7c5473f9a03471dc6572031d860353
Instruction ID: 8a13bad1af03b2dfee647e77799ae62fe5f0c8fe1e38f195e8c3e0234ac4f802
Opcode Fuzzy Hash: 22f65dbadcf723d4ef9dbca8ef5aeeda7a7c5473f9a03471dc6572031d860353
Instruction Fuzzy Hash: 5B41F729203A40E5FF58CFA2D568728A366FFC8F88F28C516CE4A43A48DF38C4529751

Function 000002287BC21100 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 111librarycomloaderCOMMON

Download Yara Rule

APIs

CLSIDFromString.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,000002287BC121C5), ref: 000002287BC21148
IIDFromString.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,000002287BC121C5), ref: 000002287BC21159
IIDFromString.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,000002287BC121C5), ref: 000002287BC2116A
CoInitializeEx.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,000002287BC121C5), ref: 000002287BC21176
CoCreateInstance.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,000002287BC121C5), ref: 000002287BC21193
LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000002287BC121C5), ref: 000002287BC211C7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000002287BC121C5), ref: 000002287BC211D2
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000002287BC121C5), ref: 000002287BC211E7
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,000002287BC121C5), ref: 000002287BC2126E

Strings

{43826D1E-E718-42EE-BC55-A1E261C37BFE}, xrefs: 000002287BC21163
SHCreateItemFromParsingName, xrefs: 000002287BC211DD
{3AD05575-8857-4850-9277-11B85BDB8E09}, xrefs: 000002287BC2112B
{947AAB5F-0A5C-4C13-B4D6-4BF7836FC9F8}, xrefs: 000002287BC21152
shell32.dll, xrefs: 000002287BC211B8

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FromString$AddressCreateErrorInitializeInstanceLastLibraryLoadProcUninitialize
String ID: SHCreateItemFromParsingName$shell32.dll${3AD05575-8857-4850-9277-11B85BDB8E09}${43826D1E-E718-42EE-BC55-A1E261C37BFE}${947AAB5F-0A5C-4C13-B4D6-4BF7836FC9F8}
API String ID: 2084278556-3860647673
Opcode ID: 6b365c774cdfe9216a3c30888693587c7e5625406bd06819d41ff6f4b0c32ad6
Instruction ID: 681449413b257630cdfb526ec9beeb9e9e68091bdaa7dd9322e454a8d45b893d
Opcode Fuzzy Hash: 6b365c774cdfe9216a3c30888693587c7e5625406bd06819d41ff6f4b0c32ad6
Instruction Fuzzy Hash: 6F515F2A712B15E6FB00CFB1D84869D77B2FB89B89F648516EE0A53B24DF34C586C350

Function 000002287BC2BCB0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

memcpy.NTDLL ref: 000002287BC2BCD5
memset.NTDLL ref: 000002287BC2BD6A
wsprintfW.USER32 ref: 000002287BC2BD89
SetFileAttributesW.KERNEL32 ref: 000002287BC2BD99
DeleteFileW.KERNEL32 ref: 000002287BC2BDA4
CreateFileW.KERNEL32 ref: 000002287BC2BDD4
GetLastError.KERNEL32 ref: 000002287BC2BDE3
WriteFile.KERNEL32 ref: 000002287BC2BE06
GetLastError.KERNEL32 ref: 000002287BC2BE10
CloseHandle.KERNEL32 ref: 000002287BC2BE20
SetFileAttributesW.KERNEL32 ref: 000002287BC2BE30

Strings

%s\%s, xrefs: 000002287BC2BD7D
192.197.113.45, xrefs: 000002287BC2BCCB
install.cfg, xrefs: 000002287BC2BD76

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: File$AttributesErrorLast$CloseCreateDeleteHandleWritememcpymemsetwsprintf
String ID: %s\%s$192.197.113.45$install.cfg
API String ID: 1383014907-2856810270
Opcode ID: e445fe55c89c3ec01bc9361a1c4306dd17c976a09e4684f286418ac370e38a0c
Instruction ID: 35af13b7885eff303835e64c09247480aa808e9353234f5df4ae10a8a4473182
Opcode Fuzzy Hash: e445fe55c89c3ec01bc9361a1c4306dd17c976a09e4684f286418ac370e38a0c
Instruction Fuzzy Hash: C341813A615B8592F7108F64E84D7AAA761F7DAB84F64C312DB8913754EF3CC546C700

Function 000002287BC42BB0 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 347COMMON

Download Yara Rule

APIs

memcpy.NTDLL ref: 000002287BC42C67
memcpy.NTDLL ref: 000002287BC42FD4

Strings

OOM, xrefs: 000002287BC42F18
%s|%s|%d, xrefs: 000002287BC42D43
init server failed, xrefs: 000002287BC43124
ener), xrefs: 000002287BC4306D
http_proxy, xrefs: 000002287BC430C0
lws_create_vhost, xrefs: 000002287BC42C09
default, xrefs: 000002287BC42BD6
same vh list, xrefs: 000002287BC42FDF
|%u, xrefs: 000002287BC42CFD
lws_free, xrefs: 000002287BC42F3A
lws_protocol_init failed, xrefs: 000002287BC43168
port %u, xrefs: 000002287BC43030
vh plugin table, xrefs: 000002287BC42ED8
|%s, xrefs: 000002287BC42CCB

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: memcpy
String ID: %s|%s|%d$OOM$default$ener)$http_proxy$init server failed$lws_create_vhost$lws_free$lws_protocol_init failed$port %u$same vh list$vh plugin table$|%s$|%u
API String ID: 3510742995-1324429581
Opcode ID: 40858c6f65372f23e2bf88e5df12406cb90927b9e36efcc625bb40a598f3a3d8
Instruction ID: 77776424345c952e44f95a99b297e306a995ea546bace69ada04d6b0b7bd38cd
Opcode Fuzzy Hash: 40858c6f65372f23e2bf88e5df12406cb90927b9e36efcc625bb40a598f3a3d8
Instruction Fuzzy Hash: CE02AC3A302B84A6FB44CF65D448799B7A1F789B98F648136DE4D8B795DF38C652C300

Function 000002287BC2F480 Relevance: 24.1, APIs: 16, Instructions: 95keyboardsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,000002287BC24327), ref: 000002287BC2F49B
WaitForSingleObject.KERNEL32(?,?,?,000002287BC24327), ref: 000002287BC2F4B1
CloseHandle.KERNEL32(?,?,?,000002287BC24327), ref: 000002287BC2F4C0
VirtualFree.KERNEL32(?,?,?,000002287BC24327), ref: 000002287BC2F4F3
VirtualFree.KERNEL32(?,?,?,000002287BC24327), ref: 000002287BC2F51D
BlockInput.USER32(?,?,?,000002287BC24327), ref: 000002287BC2F52C
CloseHandle.KERNEL32(?,?,?,000002287BC24327), ref: 000002287BC2F53B
ReleaseDC.USER32 ref: 000002287BC2F550
SelectObject.GDI32 ref: 000002287BC2F561
SelectObject.GDI32 ref: 000002287BC2F57C
DeleteObject.GDI32 ref: 000002287BC2F58D
DeleteObject.GDI32 ref: 000002287BC2F59A
DeleteDC.GDI32 ref: 000002287BC2F5A4
DeleteDC.GDI32 ref: 000002287BC2F5B1
VirtualFree.KERNEL32(?,?,?,000002287BC24327), ref: 000002287BC2F5C8
VirtualFree.KERNEL32(?,?,?,000002287BC24327), ref: 000002287BC2F5E6

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Object$DeleteFreeVirtual$CloseHandleSelect$BlockEventInputReleaseSingleWait
String ID:
API String ID: 3967251967-0
Opcode ID: 3d07de667bdd98724143ada818b03743f8d5fa4bd8fba57485f092a4cb83d6d2
Instruction ID: 14cc510be318927c15f812700cdb636afbc85a00a98c4c60b50ff46b965c1e94
Opcode Fuzzy Hash: 3d07de667bdd98724143ada818b03743f8d5fa4bd8fba57485f092a4cb83d6d2
Instruction Fuzzy Hash: DB411939202B50D2FB44CFA2E558769B366FBC5F88F24C026CE4A43758CF38C4968711

Function 000002287BC173A0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 96synchronizationpipeCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 000002287BC173BA

Part of subcall function 000002287BC281B0: VirtualAlloc.KERNEL32(?,?,00000000,000002287BC26DE8), ref: 000002287BC281C7
Part of subcall function 000002287BC281B0: InitializeCriticalSection.KERNEL32(?,?,00000000,000002287BC26DE8), ref: 000002287BC281F5

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

memset.NTDLL ref: 000002287BC173F5
GetCurrentProcessId.KERNEL32 ref: 000002287BC173FA
wsprintfW.USER32 ref: 000002287BC17416
WaitForSingleObject.KERNEL32 ref: 000002287BC17433
WaitForSingleObject.KERNEL32 ref: 000002287BC1747B
VirtualFree.KERNEL32 ref: 000002287BC1749A
VirtualFree.KERNEL32 ref: 000002287BC174C4
DisconnectNamedPipe.KERNEL32 ref: 000002287BC174DB
CloseHandle.KERNEL32 ref: 000002287BC174EA
DeleteCriticalSection.KERNEL32 ref: 000002287BC174F8
VirtualFree.KERNEL32 ref: 000002287BC17509

Strings

\\.\Pipe\%d_Local_%d, xrefs: 000002287BC17407

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Read$EnterFree$InitializeLeaveObjectSingleWait$CloseCurrentDeleteDisconnectHandleNamedPipeProcessmemsetwsprintf
String ID: \\.\Pipe\%d_Local_%d
API String ID: 2297721380-251893267
Opcode ID: cfcf1faea994bcf8fa9046817b97a16237f4d8ae528ee4521bb3e96e9f6a7b18
Instruction ID: 6736abc0154fa5624066bb9bd3db4100b03f3ed21218968b1e3671869e2c647e
Opcode Fuzzy Hash: cfcf1faea994bcf8fa9046817b97a16237f4d8ae528ee4521bb3e96e9f6a7b18
Instruction Fuzzy Hash: 4C418669302A4093FB649FA2E55C75DB3A2FBC5F84F248022CA4A57A94DF3CC8478711

Function 000002287BC1A570 Relevance: 21.3, APIs: 14, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac11e50a1e072cac052fa54a0874a076868238301431d97cc763025b4dce1acd
Instruction ID: e87360c3485b13183fca2824576bcbcb2bc5e86906a88c423ddb15c52c28be3b
Opcode Fuzzy Hash: ac11e50a1e072cac052fa54a0874a076868238301431d97cc763025b4dce1acd
Instruction Fuzzy Hash: 08B10869347589E6FB14DFD8F6883E4A3D2F7C4754FA5C12AE19A97690CE2CC8838305

Function 000002287BC20FA0 Relevance: 21.1, APIs: 14, Instructions: 87stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000002287BC20FB0
WideCharToMultiByte.KERNEL32 ref: 000002287BC20FDA
VirtualAlloc.KERNEL32 ref: 000002287BC20FF5
lstrlenW.KERNEL32 ref: 000002287BC21006

Part of subcall function 000002287BC2C960: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,000002287BC2101E), ref: 000002287BC2C997
Part of subcall function 000002287BC2C960: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,000002287BC2101E), ref: 000002287BC2C9BF

memset.NTDLL ref: 000002287BC2102B
lstrlenA.KERNEL32 ref: 000002287BC21033
VirtualFree.KERNEL32 ref: 000002287BC21049
lstrlenA.KERNEL32 ref: 000002287BC2106A
memset.NTDLL ref: 000002287BC21092
memcpy.NTDLL ref: 000002287BC210A2
CreateDirectoryA.KERNEL32 ref: 000002287BC210AE
lstrlenA.KERNEL32 ref: 000002287BC210BC
CreateDirectoryA.KERNEL32 ref: 000002287BC210D3
VirtualFree.KERNEL32 ref: 000002287BC210E4

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: lstrlen$ByteCharMultiVirtualWide$CreateDirectoryFreememset$Allocmemcpy
String ID:
API String ID: 2091574596-0
Opcode ID: 1f76454f4776390ab5dbb31d2d125cc19e68bef09b6ddff7a62c5eac63547ca7
Instruction ID: 06fea8cd4890b069fd04cb04d1bc088a8a287f4e2b569a4f43e9bf713f8785ea
Opcode Fuzzy Hash: 1f76454f4776390ab5dbb31d2d125cc19e68bef09b6ddff7a62c5eac63547ca7
Instruction Fuzzy Hash: 6931B629305A8092F754DFA6EA5C7ADA393A7CABC5F148025DB4A83795DF3CC5468700

Function 000002287BC2ED30 Relevance: 21.1, APIs: 14, Instructions: 64keyboardsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 000002287BC2ED41
WaitForSingleObject.KERNEL32 ref: 000002287BC2ED55
CloseHandle.KERNEL32 ref: 000002287BC2ED64
BlockInput.USER32 ref: 000002287BC2ED78
ReleaseDC.USER32 ref: 000002287BC2ED89
SelectObject.GDI32 ref: 000002287BC2ED9A
SelectObject.GDI32 ref: 000002287BC2EDB5
DeleteObject.GDI32 ref: 000002287BC2EDC6
DeleteObject.GDI32 ref: 000002287BC2EDD3
DeleteDC.GDI32 ref: 000002287BC2EDDD
DeleteDC.GDI32 ref: 000002287BC2EDEA
VirtualFree.KERNEL32 ref: 000002287BC2EE01
VirtualFree.KERNEL32 ref: 000002287BC2EE1F
CloseHandle.KERNEL32 ref: 000002287BC2EE35

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Object$Delete$CloseFreeHandleSelectVirtual$BlockEventInputReleaseSingleWait
String ID:
API String ID: 2595850724-0
Opcode ID: 627ade597925c147f7e79ed2012f1fc2a10741f551bbb865f3983e0dd27cbec2
Instruction ID: 9028aff3afd3c0b48febf1862620335344ab9c70d7f1fcccabbf455d8abef632
Opcode Fuzzy Hash: 627ade597925c147f7e79ed2012f1fc2a10741f551bbb865f3983e0dd27cbec2
Instruction Fuzzy Hash: 5931C729202B40D6FB449FA2E95C769A3A6FBC9F89F149026CE4A47768DF34C4868711

Function 000002287BC1C640 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 115stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC1C67F
memset.NTDLL ref: 000002287BC1C6A0
memset.NTDLL ref: 000002287BC1C6B2
QueryDosDeviceW.KERNEL32 ref: 000002287BC1C6EA
GetDriveTypeW.KERNEL32 ref: 000002287BC1C705
lstrlenW.KERNEL32 ref: 000002287BC1C719
GetVolumeInformationW.KERNEL32 ref: 000002287BC1C788
lstrlenW.KERNEL32 ref: 000002287BC1C793
GetDiskFreeSpaceExW.KERNEL32 ref: 000002287BC1C7E2

Strings

:, xrefs: 000002287BC1C6E2
\, xrefs: 000002287BC1C6FD

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: memset$lstrlen$DeviceDiskDriveFreeInformationQuerySpaceTypeVolume
String ID: :$\
API String ID: 2115141164-1166558509
Opcode ID: 4ba2442a7ee91752d6fddc61f20b6e237e9db8bc712089ce54949415f7008959
Instruction ID: a93e1bba8f263578bc3e20c4b3ede7bf054ca9457f12817f99f1dc7c39575f33
Opcode Fuzzy Hash: 4ba2442a7ee91752d6fddc61f20b6e237e9db8bc712089ce54949415f7008959
Instruction Fuzzy Hash: E5514E76214B80D7FB30CF65E84879EB761F789799F505112EB8947A68DF38C64ACB00

Function 000002287BC3E510 Relevance: 18.3, APIs: 8, Strings: 4, Instructions: 336COMMON

Download Yara Rule

APIs

memcpy.NTDLL ref: 000002287BC3E747
memcpy.NTDLL ref: 000002287BC3E799
memcpy.NTDLL ref: 000002287BC3E7E7
memcpy.NTDLL ref: 000002287BC3E836
memcpy.NTDLL ref: 000002287BC3E892
memcpy.NTDLL ref: 000002287BC3E8E8
memcpy.NTDLL ref: 000002287BC3E942
memcpy.NTDLL ref: 000002287BC3E992

Strings

(, xrefs: 000002287BC3E696
client stash, xrefs: 000002287BC3E643
lws_client_connect_via_info, xrefs: 000002287BC3E512
free, xrefs: 000002287BC3E62E

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: memcpy
String ID: ($client stash$free$lws_client_connect_via_info
API String ID: 3510742995-2507652003
Opcode ID: 5f7d5be1eba48fcf2bd420dd049d970cdcae488fcc84e66b9c1d342dd8b8c7a6
Instruction ID: 25beeeb6e8501f0d1c0fa32587e93e6caa16d088032401e46a37f102eb4f9330
Opcode Fuzzy Hash: 5f7d5be1eba48fcf2bd420dd049d970cdcae488fcc84e66b9c1d342dd8b8c7a6
Instruction Fuzzy Hash: A2D10466A01B9952FB458F69D848369A791F385FB4FA89320CE7E037D1DF38C4938312

Function 000002287BC16590 Relevance: 18.1, APIs: 10, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

malloc.MSVCRT ref: 000002287BC16634
memset.NTDLL ref: 000002287BC16650
memcpy.NTDLL ref: 000002287BC166C5
malloc.MSVCRT ref: 000002287BC166CF
memset.NTDLL ref: 000002287BC166E8
memcpy.NTDLL ref: 000002287BC166FD
free.MSVCRT ref: 000002287BC16714
free.MSVCRT ref: 000002287BC1671D
VirtualFree.KERNEL32 ref: 000002287BC16733
VirtualFree.KERNEL32 ref: 000002287BC1675D

Strings

1127, xrefs: 000002287BC166BB
192.197.113.45, xrefs: 000002287BC166F0, 000002287BC16705

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeavefreemallocmemcpymemset$Initialize
String ID: 1127$192.197.113.45
API String ID: 532055762-2790919393
Opcode ID: 79849f046a066d600e613c408bc8feb084652d5ce1a044d37b8bfa0f3cfb78e2
Instruction ID: 921b8f34424145cbdb8211c522db89e53abeb8d67cdff7efe48ead6f0f2bc0b6
Opcode Fuzzy Hash: 79849f046a066d600e613c408bc8feb084652d5ce1a044d37b8bfa0f3cfb78e2
Instruction Fuzzy Hash: 45519625A16B4493F620DFA6E548269F3A2FBC9B84F64D214DE8A43B55EF3CD1868700

Function 000002287BC33C40 Relevance: 18.1, APIs: 12, Instructions: 108networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 000002287BC33C83
GetLastError.KERNEL32 ref: 000002287BC33C92
getaddrinfo.WS2_32 ref: 000002287BC33CC1
WSAGetLastError.WS2_32 ref: 000002287BC33CC7
WSAGetLastError.WS2_32 ref: 000002287BC33CD1

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ErrorLast$getaddrinfosocket
String ID:
API String ID: 2350576183-0
Opcode ID: 1024332d28204c91f51eda4f2f951b5aa5350e0b6716ddada6b503eee5c6e165
Instruction ID: 9483f3fb83d0847a4951e5f80b78a494489601554fa202839c200675f0f1526a
Opcode Fuzzy Hash: 1024332d28204c91f51eda4f2f951b5aa5350e0b6716ddada6b503eee5c6e165
Instruction Fuzzy Hash: BB516B76611A81EAF710CFA0E40879D77B2F78975CF108626EF5963A98CF38C55ACB01

Function 000002287BC14380 Relevance: 18.1, APIs: 12, Instructions: 93sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 000002287BC14397
Sleep.KERNEL32 ref: 000002287BC143AC
IsBadReadPtr.KERNEL32 ref: 000002287BC143CB
EnterCriticalSection.KERNEL32 ref: 000002287BC143E1
LeaveCriticalSection.KERNEL32 ref: 000002287BC14402
LeaveCriticalSection.KERNEL32 ref: 000002287BC1440F
SetEvent.KERNEL32 ref: 000002287BC1447E
WaitForSingleObject.KERNEL32 ref: 000002287BC1449F
CloseHandle.KERNEL32 ref: 000002287BC144B1

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$EventLeave$CloseEnterHandleObjectReadSingleSleepWait
String ID:
API String ID: 1497552152-0
Opcode ID: 95c85183abd04d487b5653f0d804961ddc88f767ee8db924f83ae14736bb2390
Instruction ID: db1404c22570e81e7cccc69e27fa4282f2216c372a82a9179d9f8e3fa5c9b1ba
Opcode Fuzzy Hash: 95c85183abd04d487b5653f0d804961ddc88f767ee8db924f83ae14736bb2390
Instruction Fuzzy Hash: 75413C79302A44E3FF588FA1D558768A3A1FBC5F49F288421CE0A6B654EF38C4578704

Function 000002287BC2EBC0 Relevance: 18.1, APIs: 12, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000002287BC2EBE6
GetDC.USER32 ref: 000002287BC2EBF6
GetSystemMetrics.USER32 ref: 000002287BC2EC0E
GetSystemMetrics.USER32 ref: 000002287BC2EC1A
CreateCompatibleDC.GDI32 ref: 000002287BC2EC27
CreateCompatibleDC.GDI32 ref: 000002287BC2EC35
CreateDIBSection.GDI32 ref: 000002287BC2EC70
CreateDIBSection.GDI32 ref: 000002287BC2EC92
SelectObject.GDI32 ref: 000002287BC2ECA7
SelectObject.GDI32 ref: 000002287BC2ECC2
CreateEventW.KERNEL32 ref: 000002287BC2ECE6
VirtualAlloc.KERNEL32 ref: 000002287BC2ED06

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Create$CompatibleMetricsObjectSectionSelectSystem$AllocDesktopEventVirtualWindow
String ID:
API String ID: 623393097-0
Opcode ID: cfdeb3b7535088351f103230168192949339b1f5207f0bb29049f4a5c5f9c2a0
Instruction ID: fa39b0e9bff636455b993dabc8a26cf01b8c972d3a895b23d46f054ae331d394
Opcode Fuzzy Hash: cfdeb3b7535088351f103230168192949339b1f5207f0bb29049f4a5c5f9c2a0
Instruction Fuzzy Hash: 6941183A611B50E7E718CF65E648A4EB3B5F389B48F10851ADB8943B14DF39E0B6C740

Function 000002287BC40C30 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 217networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 000002287BC40DB1
sendto.WS2_32 ref: 000002287BC40DC1
WSAGetLastError.WS2_32 ref: 000002287BC40DFF
WSAGetLastError.WS2_32 ref: 000002287BC40E0C
WSAGetLastError.WS2_32 ref: 000002287BC40E19
WSAGetLastError.WS2_32 ref: 000002287BC40E44

Strings

@, xrefs: 000002287BC40E51
invalid sock, xrefs: 000002287BC40D23
lws_issue_raw, xrefs: 000002287BC40D38

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ErrorLast$sendto
String ID: @$invalid sock$lws_issue_raw
API String ID: 437866842-1634260725
Opcode ID: 965925c8446b3034237eb9b2380abb21a7165ccdb1fba7f1059e45b429bd9e30
Instruction ID: 578f8cdd82da77fb31bfffc20542d68b0cad8c83f09c782ddb050ec35d6afe10
Opcode Fuzzy Hash: 965925c8446b3034237eb9b2380abb21a7165ccdb1fba7f1059e45b429bd9e30
Instruction Fuzzy Hash: 8291083938278196FB548FA5D40C799AB96F7C1BB8F288235AE598B3D5DF34C6438300

Function 000002287BC25FF0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 119fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC2603F
VirtualFree.KERNEL32 ref: 000002287BC26069
VirtualFree.KERNEL32 ref: 000002287BC260C6
VirtualFree.KERNEL32 ref: 000002287BC260F0
VirtualFree.KERNEL32 ref: 000002287BC26132
CreateFileW.KERNEL32 ref: 000002287BC2615E
DeviceIoControl.KERNEL32 ref: 000002287BC261A5
CloseHandle.KERNEL32 ref: 000002287BC261B3

Strings

D", xrefs: 000002287BC26191
\\.\TrueSight, xrefs: 000002287BC26148

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$AllocFree$EnterRead$Leave$CloseControlCreateDeviceFileHandleInitialize
String ID: D"$\\.\TrueSight
API String ID: 655973622-2684836731
Opcode ID: aad29225063e317c2a3573ba569ed1ad7c973e8f19d29a31948c40979fe2f404
Instruction ID: 5d3d020ea740239154b018048ff66bf9681f857f31c6e99e9458937cadc0c82f
Opcode Fuzzy Hash: aad29225063e317c2a3573ba569ed1ad7c973e8f19d29a31948c40979fe2f404
Instruction Fuzzy Hash: 5951B136315B8096FB64CFA2E54835AB3A2FBC9B84F54C125DB8A43F54DF38D0968B00

Function 000002287BC23F60 Relevance: 16.6, APIs: 11, Instructions: 118synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC23FB3
VirtualFree.KERNEL32 ref: 000002287BC23FDD
SetEvent.KERNEL32 ref: 000002287BC2400D
WaitForSingleObject.KERNEL32 ref: 000002287BC2401F
TerminateThread.KERNEL32 ref: 000002287BC2402A
CloseHandle.KERNEL32 ref: 000002287BC24038
VirtualFree.KERNEL32 ref: 000002287BC24070
WaitForSingleObject.KERNEL32 ref: 000002287BC240A1
TerminateThread.KERNEL32 ref: 000002287BC240AC
CloseHandle.KERNEL32 ref: 000002287BC240BA
VirtualFree.KERNEL32 ref: 000002287BC240E7

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$CloseHandleLeaveObjectSingleTerminateThreadWait$EventInitialize
String ID:
API String ID: 3987515053-0
Opcode ID: d19a18a1fb18c226b587fa31215fab17c2ab26e2c9ffc026edeed4398f67e4f0
Instruction ID: 4099127be69412a15ca37fdf7b96bca555a619cccb22f3519328a02f658178bd
Opcode Fuzzy Hash: d19a18a1fb18c226b587fa31215fab17c2ab26e2c9ffc026edeed4398f67e4f0
Instruction Fuzzy Hash: AD411E29303A4096FB58DFE3A65C769A3A2FBC9F85F28C415CE4A47B55DF38C4928740

Function 000002287BC302F0 Relevance: 16.6, APIs: 11, Instructions: 101servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 000002287BC3033B
OpenServiceW.ADVAPI32 ref: 000002287BC30358
QueryServiceStatus.ADVAPI32 ref: 000002287BC30369
LockServiceDatabase.ADVAPI32 ref: 000002287BC30372
ChangeServiceConfigW.ADVAPI32 ref: 000002287BC303D0
UnlockServiceDatabase.ADVAPI32 ref: 000002287BC303DE
CloseServiceHandle.ADVAPI32 ref: 000002287BC303E7
CloseServiceHandle.ADVAPI32 ref: 000002287BC303F0
Sleep.KERNEL32 ref: 000002287BC303FB
VirtualFree.KERNEL32 ref: 000002287BC30411
VirtualFree.KERNEL32 ref: 000002287BC3043B

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Service$CloseDatabaseFreeHandleOpenVirtual$ChangeConfigLockManagerQuerySleepStatusUnlock
String ID:
API String ID: 3731607402-0
Opcode ID: af251502d29c9c7c90bd3414ecd8e43ff810c8be5039d8a95cde08aac0fb0348
Instruction ID: f3ad56879d140353b8db8e3db6a497a4c2b000680b07cfdc003055c7b63f0fca
Opcode Fuzzy Hash: af251502d29c9c7c90bd3414ecd8e43ff810c8be5039d8a95cde08aac0fb0348
Instruction Fuzzy Hash: 2C416F3A606B4092FB68DF52A858B19B3A6FBC9F94F648025DE9A03B14DF39C446D740

Function 000002287BC2CBF0 Relevance: 16.6, APIs: 11, Instructions: 71stringprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC2CC14
malloc.MSVCRT ref: 000002287BC2CC22
Process32FirstW.KERNEL32 ref: 000002287BC2CC40
lstrcmpiW.KERNEL32(?,?,?,000002287BC12C27), ref: 000002287BC2CC51
free.MSVCRT ref: 000002287BC2CC66
CloseHandle.KERNEL32(?,?,?,000002287BC12C27), ref: 000002287BC2CC74
Process32NextW.KERNEL32 ref: 000002287BC2CC84
lstrcmpiW.KERNEL32(?,?,?,000002287BC12C27), ref: 000002287BC2CC97
Process32NextW.KERNEL32 ref: 000002287BC2CCAC
free.MSVCRT ref: 000002287BC2CCB9
CloseHandle.KERNEL32(?,?,?,000002287BC12C27), ref: 000002287BC2CCC7

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process32$CloseHandleNextfreelstrcmpi$CreateFirstSnapshotToolhelp32malloc
String ID:
API String ID: 2997854644-0
Opcode ID: c0e3d4e231a4b577965a3ea000d550504dace39ce01524bf4430d1bb5e102c2b
Instruction ID: a89387ecc92296368913f27b49b63afd5ee5e8bf8189fc07be3ccb2de96882d4
Opcode Fuzzy Hash: c0e3d4e231a4b577965a3ea000d550504dace39ce01524bf4430d1bb5e102c2b
Instruction Fuzzy Hash: 96216569302A41E2FB549FE69A4C76AE3A2F7C9FC4F68C115CD8657754DF38C4468700

Function 000002287BC2F620 Relevance: 16.6, APIs: 11, Instructions: 55threadstringCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002287BC2F634
GetThreadDesktop.USER32 ref: 000002287BC2F63C
memset.NTDLL ref: 000002287BC2F652
GetUserObjectInformationW.USER32 ref: 000002287BC2F675
OpenInputDesktop.USER32 ref: 000002287BC2F685
memset.NTDLL ref: 000002287BC2F69E
GetUserObjectInformationW.USER32 ref: 000002287BC2F6C4
lstrcmpiW.KERNEL32 ref: 000002287BC2F6D7
SetThreadDesktop.USER32 ref: 000002287BC2F6E4
CloseDesktop.USER32 ref: 000002287BC2F6F2
CloseDesktop.USER32 ref: 000002287BC2F6FB

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Desktop$Thread$CloseInformationObjectUsermemset$CurrentInputOpenlstrcmpi
String ID:
API String ID: 2480204736-0
Opcode ID: 35742a42ec1bb8b9f7ddbb22bb0d6eeede412635445707ac6bcd940e153e3a1a
Instruction ID: c7440359f7bfec32c4f824a797ebbf5a77e2ce85a63a7425ce089ada1dfd99e1
Opcode Fuzzy Hash: 35742a42ec1bb8b9f7ddbb22bb0d6eeede412635445707ac6bcd940e153e3a1a
Instruction Fuzzy Hash: 14212139315B80E2F724DF51E55CB9AA3A2F7C9B88F948126DA4A47B54DF3CC216C740

Function 000002287BC28E50 Relevance: 16.4, APIs: 13, Instructions: 122COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 000002287BC28E9A
EnterCriticalSection.KERNEL32 ref: 000002287BC28EB0
LeaveCriticalSection.KERNEL32 ref: 000002287BC28ED5
IsBadReadPtr.KERNEL32 ref: 000002287BC28EEE
VirtualFree.KERNEL32 ref: 000002287BC28F07
VirtualFree.KERNEL32 ref: 000002287BC28F1D
IsBadReadPtr.KERNEL32 ref: 000002287BC28F32
EnterCriticalSection.KERNEL32 ref: 000002287BC28F45
LeaveCriticalSection.KERNEL32 ref: 000002287BC28F6E
VirtualFree.KERNEL32 ref: 000002287BC28F97
LeaveCriticalSection.KERNEL32 ref: 000002287BC28FA1
VirtualFree.KERNEL32 ref: 000002287BC28FBF
VirtualFree.KERNEL32 ref: 000002287BC28FF5

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalFreeSectionVirtual$LeaveRead$Enter
String ID:
API String ID: 3895189749-0
Opcode ID: ad2c027d4bce0eda3b197a7ca1e870bc427290db4fc309fc76e4d30eb952749b
Instruction ID: cdcc5ecf1d12892fde234836b808a59450a385be5c593bd2dff16d27a8b0b7e9
Opcode Fuzzy Hash: ad2c027d4bce0eda3b197a7ca1e870bc427290db4fc309fc76e4d30eb952749b
Instruction Fuzzy Hash: 53511D29302A4092FB589FA2D65C769A3A7BFC9F84F28C425DE5A87654DF3DC4868700

Function 000002287BC4C680 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 282COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 000002287BC4CA63

Strings

GET, xrefs: 000002287BC4C71A
POST, xrefs: 000002287BC4C721
PUT, xrefs: 000002287BC4C728
MQTT, xrefs: 000002287BC4C72F, 000002287BC4C8D9
DNS NXDOMAIN, xrefs: 000002287BC4CABA
UDP, xrefs: 000002287BC4C7C9
YZ[\X]^_RAW, xrefs: 000002287BC4C68C
client_connect2, xrefs: 000002287BC4CACF

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: getaddrinfo
String ID: DNS NXDOMAIN$GET$MQTT$POST$PUT$UDP$YZ[\X]^_RAW$client_connect2
API String ID: 300660673-2214405465
Opcode ID: 2c5305e086da3388b79cc2b3c4c7f9437366b913ef4853aba4d80fe6e6efeebf
Instruction ID: da7ed3b9977730cc25dab6346c832eb4e1dc172a8588002edcfc27eed038c579
Opcode Fuzzy Hash: 2c5305e086da3388b79cc2b3c4c7f9437366b913ef4853aba4d80fe6e6efeebf
Instruction Fuzzy Hash: 7BC10A2A216684B5FB618FA194183BEBFA2F3D2B64F68C132DB46465A5DF34C643C710

Function 000002287BC34120 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000002287BC34152
malloc.MSVCRT ref: 000002287BC34175
malloc.MSVCRT ref: 000002287BC341EB
free.MSVCRT ref: 000002287BC34232
malloc.MSVCRT ref: 000002287BC34343
free.MSVCRT ref: 000002287BC34376

Strings

d, xrefs: 000002287BC342F7
<, xrefs: 000002287BC342FE
d, xrefs: 000002287BC342B5

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: malloc$free$Timetime
String ID: <$d$d
API String ID: 3424428123-2034941416
Opcode ID: 51bd13c452381c1f51f2b181b107fbd28d03286067c749e65a5f237629124915
Instruction ID: 9bf074710ec703ba0732b0efa5b3328ca0865514811da27291cb2fdf7b6f6403
Opcode Fuzzy Hash: 51bd13c452381c1f51f2b181b107fbd28d03286067c749e65a5f237629124915
Instruction Fuzzy Hash: 84712A76102B80D6EB908F61D58834D7BA9F788B48F58C529CB8C2B754DF79C465DB10

Function 000002287BC2E422 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 80processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC2E469
GetSystemDirectoryW.KERNEL32 ref: 000002287BC2E47B
lstrcatW.KERNEL32 ref: 000002287BC2E490
CreateProcessW.KERNEL32 ref: 000002287BC2E523
CloseHandle.KERNEL32 ref: 000002287BC2E533
CloseHandle.KERNEL32 ref: 000002287BC2E548

Strings

\cmd.exe, xrefs: 000002287BC2E481
WinSta0\Winlogon, xrefs: 000002287BC2E4B0
h, xrefs: 000002287BC2E503

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CloseHandle$CreateDirectoryProcessSystemlstrcatmemset
String ID: WinSta0\Winlogon$\cmd.exe$h
API String ID: 3110162951-1128999311
Opcode ID: c966bc5097c694aeafe5a988ec5eaa9773b15d62cb3eaf6412a53ec612da41c5
Instruction ID: 8e3986343eef1b95d754e6364111034a1f2079231b0b1b006a0205ffdd25e406
Opcode Fuzzy Hash: c966bc5097c694aeafe5a988ec5eaa9773b15d62cb3eaf6412a53ec612da41c5
Instruction Fuzzy Hash: D231B127A197C197E7208FA0E4583AAB761F7D5704F98C22697C903A59EF78C196CB00

Function 000002287BC13D30 Relevance: 15.2, APIs: 10, Instructions: 150networkthreadCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32 ref: 000002287BC13D83
SetThreadExecutionState.KERNEL32 ref: 000002287BC13DC5
SystemParametersInfoW.USER32 ref: 000002287BC13DD6
SystemParametersInfoW.USER32 ref: 000002287BC13DE7
WSAWaitForMultipleEvents.WS2_32 ref: 000002287BC13E12
WSAEnumNetworkEvents.WS2_32 ref: 000002287BC13E52
SetEvent.KERNEL32 ref: 000002287BC13ECB
WSAGetLastError.WS2_32 ref: 000002287BC13EDB
VirtualFree.KERNEL32 ref: 000002287BC13EF8
VirtualFree.KERNEL32 ref: 000002287BC13F22

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: EventEventsFreeInfoParametersSystemVirtual$EnumErrorExecutionLastMultipleNetworkSelectStateThreadWait
String ID:
API String ID: 705661956-0
Opcode ID: 52138d2b800ccf1fb00b413d68f0eaf781df4a799609b85c0360fe5f06656774
Instruction ID: 54b8e9c8d275ceb567606dabbc580a250de798eb493f840e1a37dd53662a289e
Opcode Fuzzy Hash: 52138d2b800ccf1fb00b413d68f0eaf781df4a799609b85c0360fe5f06656774
Instruction Fuzzy Hash: 7F51B07A212B44A2FB64DFA2D55C719B3A2FBC5B88F248025DE4A97B94DF34C853C740

Function 000002287BC35470 Relevance: 15.1, APIs: 10, Instructions: 145networksynchronizationCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC354AB
memset.NTDLL ref: 000002287BC35566
SetEvent.KERNEL32 ref: 000002287BC355C6
WSACreateEvent.WS2_32 ref: 000002287BC355CC
WSAEventSelect.WS2_32 ref: 000002287BC355E1
WSAWaitForMultipleEvents.WS2_32 ref: 000002287BC3560C
WSAEnumNetworkEvents.WS2_32 ref: 000002287BC3562F
WaitForSingleObject.KERNEL32 ref: 000002287BC35664
WSAWaitForMultipleEvents.WS2_32 ref: 000002287BC356B9
WSACloseEvent.WS2_32 ref: 000002287BC356D0

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Event$EventsWait$Multiplememset$CloseCreateEnumNetworkObjectSelectSingle
String ID:
API String ID: 4111286588-0
Opcode ID: 0f81237e6d1da40c68c7b47ea01de113f1d79d87ad4081a33481c3efc863e423
Instruction ID: dba1a6b3abeef2a35819a40df810bd2862512c87c7cc1cb1e465e02be4c0cf8d
Opcode Fuzzy Hash: 0f81237e6d1da40c68c7b47ea01de113f1d79d87ad4081a33481c3efc863e423
Instruction Fuzzy Hash: F261AF36212B809AF720CFA5E84878DB7B6F785798F608215DA5D47B98DF38C192CB01

Function 000002287BC34630 Relevance: 15.1, APIs: 10, Instructions: 100memorytimethreadCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000002287BC34655
VirtualAlloc.KERNEL32 ref: 000002287BC346D7
IsBadReadPtr.KERNEL32 ref: 000002287BC34707
EnterCriticalSection.KERNEL32 ref: 000002287BC3471E
send.WS2_32 ref: 000002287BC34731
GetLastError.KERNEL32 ref: 000002287BC34737
IsBadReadPtr.KERNEL32 ref: 000002287BC34747
ExitThread.KERNEL32 ref: 000002287BC34753
LeaveCriticalSection.KERNEL32 ref: 000002287BC3475E
VirtualFree.KERNEL32 ref: 000002287BC34774

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalReadSectionVirtual$AllocEnterErrorExitFreeLastLeaveThreadTimesendtime
String ID:
API String ID: 3122330297-0
Opcode ID: f81773ac5293fa06452616b02bcd918e730b8e5a510ab32d6fa37ef6065fc1e2
Instruction ID: 33621308ad5f69256430a08719080b4bee3bf47d8c339121319da220dfc483df
Opcode Fuzzy Hash: f81773ac5293fa06452616b02bcd918e730b8e5a510ab32d6fa37ef6065fc1e2
Instruction Fuzzy Hash: 49415E3A30164097F7548F62E94871DB7A2F78AB88F64C02ACB4A87754DF38D856CB40

Function 000002287BC1B120 Relevance: 15.1, APIs: 10, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B137
CreateEventW.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B1C1
VirtualAlloc.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B1E6
InitializeCriticalSection.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B1F8
VirtualAlloc.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B21D
InitializeCriticalSection.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B22F
VirtualAlloc.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B254
InitializeCriticalSection.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B266
VirtualAlloc.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B28B
InitializeCriticalSection.KERNEL32(?,?,?,000002287BC11E17), ref: 000002287BC1B29D

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: AllocVirtual$CriticalInitializeSection$CreateEvent
String ID:
API String ID: 469433356-0
Opcode ID: 303f8027ff80914df4d43291911db3601dac3562635ff234a1bc3168d7857ae2
Instruction ID: 08a3615119fa6514b4af05dcbe8ef7f04ac1659a0212b213c95b22301cf7c627
Opcode Fuzzy Hash: 303f8027ff80914df4d43291911db3601dac3562635ff234a1bc3168d7857ae2
Instruction Fuzzy Hash: 4041637A213B44E6F705CF50F948749B7EAF788B84F60802ADA8953BA4DF38C566C740

Function 000002287BC11E90 Relevance: 15.1, APIs: 10, Instructions: 91threadmemoryCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 000002287BC11EBF
IsBadReadPtr.KERNEL32 ref: 000002287BC11EF4
EnterCriticalSection.KERNEL32 ref: 000002287BC11F0F
VirtualAlloc.KERNEL32 ref: 000002287BC11F25
LeaveCriticalSection.KERNEL32 ref: 000002287BC11F49
GetNativeSystemInfo.KERNEL32 ref: 000002287BC11F7B
CreateThread.KERNEL32 ref: 000002287BC11FB2
CloseHandle.KERNEL32 ref: 000002287BC11FC0
CreateThread.KERNEL32 ref: 000002287BC11FDE
CloseHandle.KERNEL32 ref: 000002287BC11FEC

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CreateThread$CloseCriticalHandleSection$AllocEnterInfoLeaveNativeReadSystemVirtual
String ID:
API String ID: 3571750651-0
Opcode ID: 9eb8f0ae13e0ca5a9a76a572d6a5dc9a1759dda7ca47c1172a2a69fee19d4a2c
Instruction ID: 096335f81848e33d2fadace13948588eead088d2a86b87e9260daeb1a7989135
Opcode Fuzzy Hash: 9eb8f0ae13e0ca5a9a76a572d6a5dc9a1759dda7ca47c1172a2a69fee19d4a2c
Instruction Fuzzy Hash: 3B419F7A206B80D2FB20CF61E948799B3A6F785B44F54C12ADE8943754EF38C496C700

Function 000002287BC30470 Relevance: 15.1, APIs: 10, Instructions: 74servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 000002287BC30495
OpenServiceW.ADVAPI32 ref: 000002287BC304B2
QueryServiceStatus.ADVAPI32 ref: 000002287BC304C3
ControlService.ADVAPI32 ref: 000002287BC304EE
ControlService.ADVAPI32 ref: 000002287BC3050A
ControlService.ADVAPI32 ref: 000002287BC30526
StartServiceW.ADVAPI32 ref: 000002287BC3053D
CloseServiceHandle.ADVAPI32 ref: 000002287BC30546
CloseServiceHandle.ADVAPI32 ref: 000002287BC3054F
Sleep.KERNEL32 ref: 000002287BC3055A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Service$Control$CloseHandleOpen$ManagerQuerySleepStartStatus
String ID:
API String ID: 2453229493-0
Opcode ID: 72676e1cd6c076af8db37262e620a1482012437159b971be25594ca16c3ba576
Instruction ID: 802eeaca7cea54b6e9b0431774e7b84042c50eedc6ac5559dfc8122def993466
Opcode Fuzzy Hash: 72676e1cd6c076af8db37262e620a1482012437159b971be25594ca16c3ba576
Instruction Fuzzy Hash: BC31683A605640D2FB249F96A51C35AE3A3F7C9F94FA4C421DA4E03754CE3CC5469A05

Function 000002287BC22440 Relevance: 15.1, APIs: 10, Instructions: 74stringprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC22452
malloc.MSVCRT ref: 000002287BC2246E
Process32FirstW.KERNEL32 ref: 000002287BC22494
lstrlenW.KERNEL32 ref: 000002287BC224AB
lstrlenW.KERNEL32 ref: 000002287BC224B9
Process32NextW.KERNEL32 ref: 000002287BC224F0
lstrlenW.KERNEL32 ref: 000002287BC22504
Process32NextW.KERNEL32 ref: 000002287BC2253B
free.MSVCRT ref: 000002287BC2254D
CloseHandle.KERNEL32 ref: 000002287BC22556

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process32lstrlen$Next$CloseCreateFirstHandleSnapshotToolhelp32freemalloc
String ID:
API String ID: 4027670598-0
Opcode ID: 9dec531cfe11ca178118eb915f3ad58183cdf8bfa5e8815815d788b5620d7800
Instruction ID: c73f1e287ed59a2696e646d2c30a2c3b5cc1a31ba925b0563eea2a5484a5eea1
Opcode Fuzzy Hash: 9dec531cfe11ca178118eb915f3ad58183cdf8bfa5e8815815d788b5620d7800
Instruction Fuzzy Hash: 74319E69201A00D2FB909F66E55C769A3B1F789FD4F648121DE4B47B64EF3CC14ACB00

Function 000002287BC2D0F0 Relevance: 15.1, APIs: 10, Instructions: 61serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 000002287BC2D107
OpenServiceW.ADVAPI32 ref: 000002287BC2D137
GetLastError.KERNEL32 ref: 000002287BC2D145
CloseServiceHandle.ADVAPI32 ref: 000002287BC2D150

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: OpenService$CloseErrorHandleLastManager
String ID:
API String ID: 2659350385-0
Opcode ID: fefd5c4f08cde2a6459c024f055f59b1ae3a232860ca766f9537f5e5db190d1f
Instruction ID: 253f52535d4dc033f3d60304ee1936161cbea1cbc4f4b41c09ff5d2061903140
Opcode Fuzzy Hash: fefd5c4f08cde2a6459c024f055f59b1ae3a232860ca766f9537f5e5db190d1f
Instruction Fuzzy Hash: 9C214829B1AA50D2FB449F96BA5C62993A2F7CDFD4F145422DE0A43B55EE3CC4878B00

Function 000002287BC23B10 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70stringthreadCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC23B75
lstrcmpiW.KERNEL32 ref: 000002287BC23B9A
lstrcmpiW.KERNEL32 ref: 000002287BC23BC1
CreateThread.KERNEL32 ref: 000002287BC23C2F

Strings

UDP, xrefs: 000002287BC23BB2
TCP, xrefs: 000002287BC23B8B
HTTP, xrefs: 000002287BC23BD3

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: lstrcmpi$CreateThreadmemset
String ID: HTTP$TCP$UDP
API String ID: 1278753810-3864057669
Opcode ID: cecce4dee20ffc39160aa6f98eed1715bebab95b15cc28f3b4767ff3f246bbc8
Instruction ID: ab11daea1543ec4e7b4004f17afeeef3049b57a23b059aca2adbf928831a726a
Opcode Fuzzy Hash: cecce4dee20ffc39160aa6f98eed1715bebab95b15cc28f3b4767ff3f246bbc8
Instruction Fuzzy Hash: 7E31943A619B85E6F7109FA1F88879AB3A2F7C9744F60D125D94A47664EF3CC186C700

Function 000002287BC16DD0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL ref: 000002287BC16DEE
memset.NTDLL ref: 000002287BC16E00
lstrcatA.KERNEL32 ref: 000002287BC16E20
lstrcatW.KERNEL32 ref: 000002287BC16E54

Strings

UDP, xrefs: 000002287BC16E30
192.197.113.45, xrefs: 000002287BC16DDC
TCP, xrefs: 000002287BC16E39
HTTP, xrefs: 000002287BC16E45

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: lstrcat$memcpymemset
String ID: 192.197.113.45$HTTP$TCP$UDP
API String ID: 133660833-3772999598
Opcode ID: 0a1e7c24dae5f66ab09b2b4f3d8ec40318cae43e4f5206e088fafb2b1591d6a8
Instruction ID: bec0a78139b64bc9270ff829b1d3c359abfaf3a1e174ee32f471e6062c2fd172
Opcode Fuzzy Hash: 0a1e7c24dae5f66ab09b2b4f3d8ec40318cae43e4f5206e088fafb2b1591d6a8
Instruction Fuzzy Hash: 93118869302645B1FB20DFA5E448795B3E3FBC9784FA4C111C94987655EF3DC24AC741

Function 000002287BC32CE0 Relevance: 13.6, APIs: 9, Instructions: 90networkmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC32D13
CreateEventW.KERNEL32 ref: 000002287BC32D44
WSARecv.WS2_32 ref: 000002287BC32D7F
WSAGetLastError.WS2_32 ref: 000002287BC32D85
WaitForMultipleObjects.KERNEL32 ref: 000002287BC32DA3
WSAGetOverlappedResult.WS2_32 ref: 000002287BC32DD6
WSAGetLastError.WS2_32 ref: 000002287BC32DDC
CloseHandle.KERNEL32 ref: 000002287BC32DEE
VirtualFree.KERNEL32 ref: 000002287BC32E1F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateEventFreeHandleMultipleObjectsOverlappedRecvResultWait
String ID:
API String ID: 425432780-0
Opcode ID: aed295863097700a3cf2bcb5c606d9995b58dd7d1b26bbd8ef56c9c832293b68
Instruction ID: 83cb9005bfcd7d4e7127db3765f20c412b9029e0cda75501be6c3e9ddd8f0bcb
Opcode Fuzzy Hash: aed295863097700a3cf2bcb5c606d9995b58dd7d1b26bbd8ef56c9c832293b68
Instruction Fuzzy Hash: 4831A836315B9092FB20CF51F948B5AF7A5F7C9B84F618116DA8907B54DF78C446CB01

Function 000002287BC12000 Relevance: 13.6, APIs: 9, Instructions: 73memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

GetCurrentProcessId.KERNEL32 ref: 000002287BC12020
ProcessIdToSessionId.KERNEL32 ref: 000002287BC12030

Part of subcall function 000002287BC26D30: VirtualAlloc.KERNEL32 ref: 000002287BC26D4E
Part of subcall function 000002287BC26D30: GetCurrentProcessId.KERNEL32 ref: 000002287BC26DC9

VirtualAlloc.KERNEL32 ref: 000002287BC12096
InitializeCriticalSection.KERNEL32 ref: 000002287BC120A8
VirtualAlloc.KERNEL32 ref: 000002287BC120CD
InitializeCriticalSection.KERNEL32 ref: 000002287BC120DF
CreateThread.KERNEL32 ref: 000002287BC12117
WaitForSingleObject.KERNEL32 ref: 000002287BC1212D
CloseHandle.KERNEL32 ref: 000002287BC12136

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: AllocCriticalSectionVirtual$EnterInitializeProcessRead$CurrentLeave$CloseCreateHandleObjectSessionSingleThreadWait
String ID:
API String ID: 1571644542-0
Opcode ID: 0e9fbdbc5e1bf81c50a061c41d83e27d034a7b8579a8f07f73ad152dbf177c29
Instruction ID: 2aa83673ea972e78cc178a2b6b52312fc4e3f68a70babbceb26b304942073231
Opcode Fuzzy Hash: 0e9fbdbc5e1bf81c50a061c41d83e27d034a7b8579a8f07f73ad152dbf177c29
Instruction Fuzzy Hash: 53316C7A216B80D2F714CF60F90868AF7A6F7C9B84F24811AEA8647B54DF3CC446CB40

Function 000002287BC2CCF0 Relevance: 13.6, APIs: 9, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC2CD06
malloc.MSVCRT ref: 000002287BC2CD14
Process32FirstW.KERNEL32 ref: 000002287BC2CD32
free.MSVCRT ref: 000002287BC2CD47
CloseHandle.KERNEL32(?,?,00000000,000002287BC26DD6), ref: 000002287BC2CD55
Process32NextW.KERNEL32 ref: 000002287BC2CD73
Process32NextW.KERNEL32 ref: 000002287BC2CD8B
free.MSVCRT ref: 000002287BC2CD98
CloseHandle.KERNEL32(?,?,00000000,000002287BC26DD6), ref: 000002287BC2CDA6

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process32$CloseHandleNextfree$CreateFirstSnapshotToolhelp32malloc
String ID:
API String ID: 141630336-0
Opcode ID: d3eb07f55568ab84808017c9d5b8d4771ccb86291d993e155eb6784a660c0b5b
Instruction ID: bfbf27ae4c42723e8d6a2f9fad01f6752c1428348267d1339ac9e6ef7ca51518
Opcode Fuzzy Hash: d3eb07f55568ab84808017c9d5b8d4771ccb86291d993e155eb6784a660c0b5b
Instruction Fuzzy Hash: 57215429302A40D2FB548F92EA4C72AE7A2F7C5FC5F68C125DD4647754EF38C4868740

Function 000002287BC286C0 Relevance: 12.6, APIs: 10, Instructions: 130memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualAlloc.KERNEL32 ref: 000002287BC28713
VirtualAlloc.KERNEL32 ref: 000002287BC2875F
IsBadReadPtr.KERNEL32 ref: 000002287BC287A1
EnterCriticalSection.KERNEL32 ref: 000002287BC287B9
VirtualAlloc.KERNEL32 ref: 000002287BC287D0
LeaveCriticalSection.KERNEL32 ref: 000002287BC287F4
VirtualFree.KERNEL32 ref: 000002287BC28819
VirtualFree.KERNEL32 ref: 000002287BC28843
VirtualFree.KERNEL32 ref: 000002287BC28859
VirtualFree.KERNEL32 ref: 000002287BC28883

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: 0191b066f4abb38b180e3d42d616056b7f7c3051a82b4bdd04377560fdfa0cea
Instruction ID: 5494c673efac94d00778b58963b13f1bb58690f8981ef0cb60f8b58d77b6d3c1
Opcode Fuzzy Hash: 0191b066f4abb38b180e3d42d616056b7f7c3051a82b4bdd04377560fdfa0cea
Instruction Fuzzy Hash: 4F515035312A0092FB14DF92EA5C769A3A2FBC9F81F58C025DE8A83B54DF38D456C740

Function 000002287BC59BD0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 183networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 000002287BC59D62

Strings

client_connect4, xrefs: 000002287BC59EA4
proxy write failed, xrefs: 000002287BC59D6C
RAW, xrefs: 000002287BC59C2C
CONNECT %s:%u HTTP/1.1Host: %s:%uUser-agent: lws, xrefs: 000002287BC59C95
first service failed, xrefs: 000002287BC59E2F
Proxy-authorization: basic %s, xrefs: 000002287BC59CD0

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: send
String ID: CONNECT %s:%u HTTP/1.1Host: %s:%uUser-agent: lws$Proxy-authorization: basic %s$RAW$client_connect4$first service failed$proxy write failed
API String ID: 2809346765-3983456341
Opcode ID: 73c775d1c85b94740a4603f15da84a518d6a6521b29e61628622c61784a89cec
Instruction ID: b193a6d2bca6fe3a5435ec75a6092e8c16f4904b39fa9e7d5b6796880b64586b
Opcode Fuzzy Hash: 73c775d1c85b94740a4603f15da84a518d6a6521b29e61628622c61784a89cec
Instruction Fuzzy Hash: E081FE6A202780A1FB50CFA1E4183A8B7A2FBC4B98F7881B2DE4907798DF74C442C740

Function 000002287BC2C7F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

WTSEnumerateSessionsW.WTSAPI32 ref: 000002287BC2C82F
WTSQuerySessionInformationW.WTSAPI32 ref: 000002287BC2C88B
lstrlenW.KERNEL32 ref: 000002287BC2C8A3
WTSFreeMemory.WTSAPI32 ref: 000002287BC2C922
WTSFreeMemory.WTSAPI32 ref: 000002287BC2C93C

Strings

system, xrefs: 000002287BC2C8C9, 000002287BC2C8F0

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeMemory$EnumerateInformationQuerySessionSessionslstrlen
String ID: system
API String ID: 3618899143-3377271179
Opcode ID: c5b338d4ebc20897ab899937c24653b25cbffe5cb9dd32c1f9a8a9f268688e69
Instruction ID: a503517bb9b96ddc59e440dd2a9379082e427c4202e2cfcffd83ca9ae97999b4
Opcode Fuzzy Hash: c5b338d4ebc20897ab899937c24653b25cbffe5cb9dd32c1f9a8a9f268688e69
Instruction Fuzzy Hash: 4941AE7A701A60EBE710DFA5E88869D77B5F388B98F504516EF0A83B18DF34C196CB00

Function 000002287BC22380 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39stringfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC2239D
lstrcatW.KERNEL32 ref: 000002287BC223AE
lstrcatW.KERNEL32 ref: 000002287BC223C0
DeleteFileW.KERNEL32 ref: 000002287BC223F9
GetLastError.KERNEL32 ref: 000002287BC22409

Strings

\temp.key, xrefs: 000002287BC223B4
C:\Program Files\Windows Mail, xrefs: 000002287BC223A2

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: lstrcat$DeleteErrorFileLastmemset
String ID: C:\Program Files\Windows Mail$\temp.key
API String ID: 3002015462-229217837
Opcode ID: ff7be70ef30964bc17330d8a44c3dc7bc8f9a366264bc8697cbde6c940821564
Instruction ID: 6cf404876d7db0128b42a930c7ce440d8a77b8ad39918a81c2bf4d75c01a10d4
Opcode Fuzzy Hash: ff7be70ef30964bc17330d8a44c3dc7bc8f9a366264bc8697cbde6c940821564
Instruction Fuzzy Hash: 5F119436609781D2FB20CF55F54835AF7A1F7D9784F648116E68947A58EF7CC189CB00

Function 000002287BC20300 Relevance: 12.1, APIs: 8, Instructions: 109processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000002287BC20367
OpenProcessToken.ADVAPI32 ref: 000002287BC20379
GetLastError.KERNEL32 ref: 000002287BC20383
DuplicateTokenEx.ADVAPI32 ref: 000002287BC203B1
SetTokenInformation.ADVAPI32 ref: 000002287BC203CD
CreateEnvironmentBlock.USERENV ref: 000002287BC203E2
CreateProcessAsUserW.ADVAPI32 ref: 000002287BC2042A
CreateProcessAsUserW.ADVAPI32 ref: 000002287BC20473

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process$CreateToken$User$BlockCurrentDuplicateEnvironmentErrorInformationLastOpen
String ID:
API String ID: 2924300727-0
Opcode ID: 7776120a4cf9eab5bc6d18c251bf41d7d91d6df806284cf8426be864e5e76def
Instruction ID: 4d3fd31dd8356f423c89b3caebfc77978cfc71c84db6d32b643781edcf777b8b
Opcode Fuzzy Hash: 7776120a4cf9eab5bc6d18c251bf41d7d91d6df806284cf8426be864e5e76def
Instruction Fuzzy Hash: 0B517D36B05B819AF750CFA1E48478D73B6F789788F109216AE8C63B18DF38C19AC740

Function 000002287BC1E020 Relevance: 12.1, APIs: 8, Instructions: 92memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC1E084
VirtualFree.KERNEL32 ref: 000002287BC1E0AE
CreateEventW.KERNEL32 ref: 000002287BC1E0C4
CreateThread.KERNEL32 ref: 000002287BC1E0E9
IsBadReadPtr.KERNEL32 ref: 000002287BC1E0FE
EnterCriticalSection.KERNEL32 ref: 000002287BC1E111
VirtualAlloc.KERNEL32 ref: 000002287BC1E128
LeaveCriticalSection.KERNEL32 ref: 000002287BC1E14C

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$CreateFree$EventInitializeThread
String ID:
API String ID: 1715669518-0
Opcode ID: efd39a18ab53be254e5ab7e73d045871cc1d92396fd7e0560496da9bb3487c49
Instruction ID: cad8eb76c0e74c73e2b8acc719c804165e8145bdffdc7b217547bff87f2c35a6
Opcode Fuzzy Hash: efd39a18ab53be254e5ab7e73d045871cc1d92396fd7e0560496da9bb3487c49
Instruction Fuzzy Hash: 27316D36302B4096FB54CFA2E958759B7A6FBC9F84F58C02A9E4A43B54DF38C556C700

Function 000002287BC33EB0 Relevance: 12.1, APIs: 8, Instructions: 73networkCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC33EE1
CreateEventW.KERNEL32 ref: 000002287BC33F12
WSARecv.WS2_32 ref: 000002287BC33F49
WSAGetLastError.WS2_32 ref: 000002287BC33F4F
WaitForMultipleObjects.KERNEL32 ref: 000002287BC33F6D
WSAGetOverlappedResult.WS2_32 ref: 000002287BC33F9C
WSAGetLastError.WS2_32 ref: 000002287BC33FA2
CloseHandle.KERNEL32 ref: 000002287BC33FB4

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ErrorLast$CloseCreateEventHandleMultipleObjectsOverlappedRecvResultWaitmemset
String ID:
API String ID: 3426673637-0
Opcode ID: 52c421c825967520953a5b23246e7a4387fe70eee85a8aaed5ff1caa71a1bc93
Instruction ID: da613c524a320cdfe7d70ca0134967a03d9270486f389b6127db3e102e8daa1e
Opcode Fuzzy Hash: 52c421c825967520953a5b23246e7a4387fe70eee85a8aaed5ff1caa71a1bc93
Instruction Fuzzy Hash: 93317236215B81D6E710CFA1F548B8EB7A5F7C8784FA08126EB8943A14DF79C556CB40

Function 000002287BC34010 Relevance: 12.1, APIs: 8, Instructions: 56synchronizationthreadnetworkCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 000002287BC34048
EnterCriticalSection.KERNEL32 ref: 000002287BC34056
send.WS2_32 ref: 000002287BC34068
GetLastError.KERNEL32 ref: 000002287BC3406E
IsBadReadPtr.KERNEL32 ref: 000002287BC3407E
LeaveCriticalSection.KERNEL32 ref: 000002287BC3408C
WaitForSingleObject.KERNEL32 ref: 000002287BC3409F
ExitThread.KERNEL32 ref: 000002287BC340AD

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalReadSection$EnterErrorExitLastLeaveObjectSingleThreadWaitsend
String ID:
API String ID: 152332814-0
Opcode ID: 8d08eea230e4b6f90c829aa98d6795d4b32622fa59929bdfc937a3d05da3df0d
Instruction ID: 99fb50b5143eb18e9804b1c56e57dcd383175db2aea66cdfd5e0ce50f5233912
Opcode Fuzzy Hash: 8d08eea230e4b6f90c829aa98d6795d4b32622fa59929bdfc937a3d05da3df0d
Instruction Fuzzy Hash: F1116635305A00D2FB009FA2ED5C72AE7A6F7DAF88F648016CE0947754DE38C8578741

Function 000002287BC457D0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 000002287BC457F6

Strings

lws_free, xrefs: 000002287BC459F7
__lws_close_free_wsi_final, xrefs: 000002287BC45937
failed to get ah, xrefs: 000002287BC45922
free, xrefs: 000002287BC4585F, 000002287BC459BB
client_reset, xrefs: 000002287BC458E1

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: closesocket
String ID: __lws_close_free_wsi_final$client_reset$failed to get ah$free$lws_free
API String ID: 2781271927-1207365477
Opcode ID: d67164782edfafa85efe1b1ad5334ba79289834cad1433db88d2c4e3e7eaf4da
Instruction ID: 826f3512da79414b2105ff109091c04e0720247d2b7a192f4a744180e23092ec
Opcode Fuzzy Hash: d67164782edfafa85efe1b1ad5334ba79289834cad1433db88d2c4e3e7eaf4da
Instruction Fuzzy Hash: F7516176302A80A1FA58DF65D6483ADA7A6F7C5BB4F6482129F78076D5DF34C6638300

Function 000002287BC16F20 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 108stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32 ref: 000002287BC16FCD
VirtualFree.KERNEL32 ref: 000002287BC17061
VirtualFree.KERNEL32 ref: 000002287BC1708B

Strings

UDP, xrefs: 000002287BC16FB6
TCP, xrefs: 000002287BC16FAD
HTTP, xrefs: 000002287BC16FC1

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtual$lstrcat
String ID: HTTP$TCP$UDP
API String ID: 1793027038-3864057669
Opcode ID: f8c770e093299375ec3939c6a1ac62dfcec0d984de34bbc823660acc1cfcb956
Instruction ID: 8bbcca5ccc702a333a0130808dcffcbbeddb6d0683c6485c921f57b3599c0ddc
Opcode Fuzzy Hash: f8c770e093299375ec3939c6a1ac62dfcec0d984de34bbc823660acc1cfcb956
Instruction Fuzzy Hash: B6417D66315B4093EB64CFA2E54872DB3A2FBC9BC0F548125DA8A83F54DF38D5968B00

Function 000002287BC1D850 Relevance: 10.6, APIs: 7, Instructions: 103memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC1D8F0
VirtualFree.KERNEL32 ref: 000002287BC1D91A
CreateThread.KERNEL32 ref: 000002287BC1D948
IsBadReadPtr.KERNEL32 ref: 000002287BC1D96C
EnterCriticalSection.KERNEL32 ref: 000002287BC1D97F
VirtualAlloc.KERNEL32 ref: 000002287BC1D996
LeaveCriticalSection.KERNEL32 ref: 000002287BC1D9BA

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$Free$CreateInitializeThread
String ID:
API String ID: 1508740679-0
Opcode ID: 1e0f999212c5dae18b05ebfdccd023800d68c8a289210f02f12863f3365b7b20
Instruction ID: b03e939f34f7a8e8976bed95f2be1ac54b05fdd0eedaf0a4d6485035e24b71d1
Opcode Fuzzy Hash: 1e0f999212c5dae18b05ebfdccd023800d68c8a289210f02f12863f3365b7b20
Instruction Fuzzy Hash: CC419236212B8096FB54CF62E54875EB7A5FBC8B94F148025DF4A53B58DF38C456CB40

Function 000002287BC1DDB0 Relevance: 10.6, APIs: 7, Instructions: 102memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC1DE4A
VirtualFree.KERNEL32 ref: 000002287BC1DE74
CreateThread.KERNEL32 ref: 000002287BC1DEA0
IsBadReadPtr.KERNEL32 ref: 000002287BC1DEC4
EnterCriticalSection.KERNEL32 ref: 000002287BC1DED7
VirtualAlloc.KERNEL32 ref: 000002287BC1DEEE
LeaveCriticalSection.KERNEL32 ref: 000002287BC1DF12

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$Free$CreateInitializeThread
String ID:
API String ID: 1508740679-0
Opcode ID: 273e2070679fd9d425f482d2ff087d99ca88f881e3c69df1ba744a5168f544b7
Instruction ID: f3f4c703d45355c6f95aaa494a7c24a5b3f5a08e06e81f013002d5fcffddd09c
Opcode Fuzzy Hash: 273e2070679fd9d425f482d2ff087d99ca88f881e3c69df1ba744a5168f544b7
Instruction Fuzzy Hash: 7A41BA7A302B4096EB54CF62E54835DB7A2FBC8F84F68802ADB4943B18DF38C556CB40

Function 000002287BC24110 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95librarymemoryloaderCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC24127
LoadLibraryW.KERNEL32 ref: 000002287BC24145
GetProcAddress.KERNEL32 ref: 000002287BC2415D
FreeLibrary.KERNEL32 ref: 000002287BC2416D

Strings

SetProcessDPIAware, xrefs: 000002287BC24153
user32.dll, xrefs: 000002287BC24139

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Library$AddressAllocFreeLoadProcVirtual
String ID: SetProcessDPIAware$user32.dll
API String ID: 3041263384-1137607222
Opcode ID: 9d02f87800e55cbf7a8c42c438b0b17f760479b48bbb6df9485456c9862dbe11
Instruction ID: bbdecf8cf405e1a701e569403e56fe927a4e2995ef528a142a7a63586b3691e5
Opcode Fuzzy Hash: 9d02f87800e55cbf7a8c42c438b0b17f760479b48bbb6df9485456c9862dbe11
Instruction Fuzzy Hash: 71515739203F45E5FB419FA0E8893D973AAFB89B44F688536C95D16368EF38C196C350

Function 000002287BC34CA0 Relevance: 10.6, APIs: 7, Instructions: 94memorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC34CD3

Part of subcall function 000002287BC33EB0: memset.NTDLL ref: 000002287BC33EE1
Part of subcall function 000002287BC33EB0: CreateEventW.KERNEL32 ref: 000002287BC33F12
Part of subcall function 000002287BC33EB0: WSARecv.WS2_32 ref: 000002287BC33F49
Part of subcall function 000002287BC33EB0: WSAGetLastError.WS2_32 ref: 000002287BC33F4F
Part of subcall function 000002287BC33EB0: WaitForMultipleObjects.KERNEL32 ref: 000002287BC33F6D
Part of subcall function 000002287BC33EB0: WSAGetLastError.WS2_32 ref: 000002287BC33FA2
Part of subcall function 000002287BC33EB0: CloseHandle.KERNEL32 ref: 000002287BC33FB4

VirtualFree.KERNEL32 ref: 000002287BC34D27
VirtualFree.KERNEL32 ref: 000002287BC34D44
WaitForSingleObject.KERNEL32 ref: 000002287BC34D55
VirtualAlloc.KERNEL32 ref: 000002287BC34D6D
VirtualFree.KERNEL32 ref: 000002287BC34D9E
VirtualFree.KERNEL32 ref: 000002287BC34DD4

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$AllocErrorLastWait$CloseCreateEventHandleMultipleObjectObjectsRecvSinglememset
String ID:
API String ID: 970482246-0
Opcode ID: bcfe923bc1964125a088590f5d55776f769510132eb89fe0d0a8e6d172af37a9
Instruction ID: af8e1cef074e57477001685f15058e37bee7130b108c042a83b67ac5432eb7e7
Opcode Fuzzy Hash: bcfe923bc1964125a088590f5d55776f769510132eb89fe0d0a8e6d172af37a9
Instruction Fuzzy Hash: DE31B72930265191FB648FA7ED0CB56E6D2ABCAFD0F6CC0359D4A8B7A4DE39C4435B01

Function 000002287BC30B80 Relevance: 10.6, APIs: 7, Instructions: 82memoryfilestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000002287BC30BCE
VirtualAlloc.KERNEL32 ref: 000002287BC30BEC

Part of subcall function 000002287BC2C960: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,000002287BC2101E), ref: 000002287BC2C997
Part of subcall function 000002287BC2C960: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,000002287BC2101E), ref: 000002287BC2C9BF

lstrlenA.KERNEL32 ref: 000002287BC30C1A
WriteFile.KERNEL32 ref: 000002287BC30C34
VirtualFree.KERNEL32 ref: 000002287BC30C45
VirtualFree.KERNEL32 ref: 000002287BC30C6A
VirtualFree.KERNEL32 ref: 000002287BC30C94

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$ByteCharFreeMultiWide$AllocFileWritelstrlen
String ID:
API String ID: 2835453980-0
Opcode ID: 71f212e19adb1378ffe727bebadbeda59ee68b8536da3b7b422bd183694d57e2
Instruction ID: a84a191335b875f127e2c95cda41f611b4f946ff5ce951682797b991f66fe32a
Opcode Fuzzy Hash: 71f212e19adb1378ffe727bebadbeda59ee68b8536da3b7b422bd183694d57e2
Instruction Fuzzy Hash: 58316036305B4097FB14CF67A65861AA3A2FBC9FC0F148025DE8A53F24DF38C0628B05

Function 000002287BC1D710 Relevance: 10.6, APIs: 7, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC1D757
memset.NTDLL ref: 000002287BC1D76C
memcpy.NTDLL ref: 000002287BC1D787
memcpy.NTDLL ref: 000002287BC1D7A1
VirtualFree.KERNEL32 ref: 000002287BC1D7B6
VirtualFree.KERNEL32 ref: 000002287BC1D7E0
SHFileOperationW.SHELL32 ref: 000002287BC1D827

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtualmemcpymemset$FileOperation
String ID:
API String ID: 467530429-0
Opcode ID: dffc5ae634dab5e40cba806f4480da46c8e90b6c2f9df2de3ee599a4a81b9e1f
Instruction ID: f2af87485b52c6bbb79d074e5f10352e6d7b91007ae9e522c38903d487332a4a
Opcode Fuzzy Hash: dffc5ae634dab5e40cba806f4480da46c8e90b6c2f9df2de3ee599a4a81b9e1f
Instruction Fuzzy Hash: EA316B36215B8196EB20CF52E48864EF7A5FBC9B84F548525DB9903B28DF39D166CB00

Function 000002287BC32BB0 Relevance: 10.6, APIs: 7, Instructions: 75networkCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 000002287BC32C05
WSASend.WS2_32 ref: 000002287BC32C4B
WSAGetLastError.WS2_32 ref: 000002287BC32C51
WaitForMultipleObjects.KERNEL32 ref: 000002287BC32C7A
WSAGetLastError.WS2_32 ref: 000002287BC32CB3
CloseHandle.KERNEL32 ref: 000002287BC32CC5

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ErrorLast$CloseCreateEventHandleMultipleObjectsSendWait
String ID:
API String ID: 248740593-0
Opcode ID: 736fedc4c4d23ddd567e7e6bbc7468ae00658e1629175c99a4b37f698f570d50
Instruction ID: d725677ef4e2dc8e5a36b0ee8b4db7d5952be61a92b8e5855f90ccde44144f50
Opcode Fuzzy Hash: 736fedc4c4d23ddd567e7e6bbc7468ae00658e1629175c99a4b37f698f570d50
Instruction Fuzzy Hash: 1A316F36609B809AFB208FA4F44878AF361F7C5794F648126EB8C47B58DF78C586CB01

Function 000002287BC28030 Relevance: 10.6, APIs: 7, Instructions: 71memoryfilepipeCOMMON

Download Yara Rule

APIs

PeekNamedPipe.KERNEL32 ref: 000002287BC2805F
VirtualAlloc.KERNEL32 ref: 000002287BC2808C
ReadFile.KERNEL32 ref: 000002287BC280B4
VirtualFree.KERNEL32 ref: 000002287BC280D7
FlushFileBuffers.KERNEL32 ref: 000002287BC280E1
GetLastError.KERNEL32 ref: 000002287BC280EB
GetLastError.KERNEL32 ref: 000002287BC2810D

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ErrorFileLastVirtual$AllocBuffersFlushFreeNamedPeekPipeRead
String ID:
API String ID: 1637252459-0
Opcode ID: 4468efe2ac97f06d54e52ac93bf4084700aad4286db5d8e7735387b67f148689
Instruction ID: 50b8d44849f337b31d15ab0372a1d843fc77930d9866c13a239cc3fb7e29d0dc
Opcode Fuzzy Hash: 4468efe2ac97f06d54e52ac93bf4084700aad4286db5d8e7735387b67f148689
Instruction Fuzzy Hash: 0A21923A305A4096F7208FA2F90865AF3A1FBC9BE5F148025DE4D83B54EF38D496CB00

Function 000002287BC2CDC0 Relevance: 10.6, APIs: 7, Instructions: 70stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32 ref: 000002287BC2CE00
QueryDosDeviceW.KERNEL32 ref: 000002287BC2CE5F
lstrlenW.KERNEL32 ref: 000002287BC2CE6E
wcsncmp.NTDLL ref: 000002287BC2CE82
lstrcpyW.KERNEL32 ref: 000002287BC2CEA7
lstrcpyW.KERNEL32 ref: 000002287BC2CED7
lstrcatW.KERNEL32 ref: 000002287BC2CEE4

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: lstrcpy$DeviceDriveLogicalQueryStringslstrcatlstrlenwcsncmp
String ID:
API String ID: 1240803607-0
Opcode ID: 9280a457a6313f234a10a2775b094dafe39453bb89c65eff5f156e380ed969df
Instruction ID: 361c42c50d8013c360a7c4d8b634f9a0e93fd4bdccb8036b3118bdadb9501fb2
Opcode Fuzzy Hash: 9280a457a6313f234a10a2775b094dafe39453bb89c65eff5f156e380ed969df
Instruction Fuzzy Hash: 1231866A205A81D5FB708F51E8087EFB362FBC5BC5F5491269E8943654EF3CC556C700

Function 000002287BC17FF0 Relevance: 10.6, APIs: 7, Instructions: 69threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000002287BC18000
ProcessIdToSessionId.KERNEL32 ref: 000002287BC1800D
WTSEnumerateSessionsW.WTSAPI32 ref: 000002287BC1803C
WTSQuerySessionInformationW.WTSAPI32 ref: 000002287BC1808D
WTSFreeMemory.WTSAPI32 ref: 000002287BC180B2

Part of subcall function 000002287BC17840: memset.NTDLL ref: 000002287BC17869
Part of subcall function 000002287BC17840: GetSystemDirectoryW.KERNEL32 ref: 000002287BC1787A
Part of subcall function 000002287BC17840: GetLastError.KERNEL32 ref: 000002287BC17884
Part of subcall function 000002287BC17840: lstrcatW.KERNEL32 ref: 000002287BC17A5B

WTSFreeMemory.WTSAPI32 ref: 000002287BC180CA
CreateThread.KERNEL32 ref: 000002287BC180EC

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeMemoryProcessSession$CreateCurrentDirectoryEnumerateErrorInformationLastQuerySessionsSystemThreadlstrcatmemset
String ID:
API String ID: 3188162108-0
Opcode ID: d566a49c519e7465bdeb44e4b25feed635b824216205b27444040cf427fbd1ca
Instruction ID: 6c89a0a2f8f462972cf6cd7e98f2dc7a7d9c94bc781b946f34b1d323382a64ff
Opcode Fuzzy Hash: d566a49c519e7465bdeb44e4b25feed635b824216205b27444040cf427fbd1ca
Instruction Fuzzy Hash: 1B314F7A219B48D7E710CF61E54864EB7A6F3C8784F648116EB8A83B28DF38D546CB00

Function 000002287BC204C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66processthreadinjectionCOMMON

Download Yara Rule

APIs

CreateProcessWithTokenW.ADVAPI32 ref: 000002287BC20554
GetLastError.KERNEL32 ref: 000002287BC2055E
CloseHandle.KERNEL32 ref: 000002287BC20570
CloseHandle.KERNEL32 ref: 000002287BC20585
SuspendThread.KERNEL32 ref: 000002287BC20594

Strings

h, xrefs: 000002287BC2054C

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcessSuspendThreadTokenWith
String ID: h
API String ID: 1678065097-2439710439
Opcode ID: 3cbc20e78e1eb83783e4a30a281580a657b95db29aa1acf2fc706db10240a998
Instruction ID: eb4aae2c0a9cc3ef3caa50ba580c1642b85879bf8eb984954284244d3f2d1b72
Opcode Fuzzy Hash: 3cbc20e78e1eb83783e4a30a281580a657b95db29aa1acf2fc706db10240a998
Instruction Fuzzy Hash: 3A317076A18B8082F710CF91E58835DB3A5F7D8794F219226EE9843B14DFB8C4D1CB00

Function 000002287BC20700 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000002287BC2075A
memset.NTDLL ref: 000002287BC20775
lstrlenA.KERNEL32 ref: 000002287BC2077F
DeviceIoControl.KERNEL32 ref: 000002287BC207BA
CloseHandle.KERNEL32 ref: 000002287BC207C3

Strings

\\.\{F8284233-48F4-4680-ADDD-F8284233}, xrefs: 000002287BC20738

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandlelstrlenmemset
String ID: \\.\{F8284233-48F4-4680-ADDD-F8284233}
API String ID: 2589617790-329358119
Opcode ID: ddb270b5adfe0e322802696b8fc744b31215d6184e53b30f0350213f07a3a6f1
Instruction ID: 0ed94398792dc80b3261c7a354add7e98d57b89cf5aec030e2742d85b36ae58c
Opcode Fuzzy Hash: ddb270b5adfe0e322802696b8fc744b31215d6184e53b30f0350213f07a3a6f1
Instruction Fuzzy Hash: F8113A3A219B8092E761CF90F45878AB3A1F7C9744F648126EA8D47B58EF7CC109CB40

Function 000002287BC2D330 Relevance: 10.5, APIs: 7, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(?,?,?,000002287BC122C3), ref: 000002287BC2D347
OpenServiceW.ADVAPI32(?,?,?,000002287BC122C3), ref: 000002287BC2D376
GetLastError.KERNEL32(?,?,?,000002287BC122C3), ref: 000002287BC2D384
CloseServiceHandle.ADVAPI32(?,?,?,000002287BC122C3), ref: 000002287BC2D38F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: OpenService$CloseErrorHandleLastManager
String ID:
API String ID: 2659350385-0
Opcode ID: 21d58da2365aae7713df0bba265bb248948e741fa30b49312907162967780c34
Instruction ID: 2f6513d2e1771a089efbef0634dfb427c2e3b8d5bad287016485dfe90e6e6927
Opcode Fuzzy Hash: 21d58da2365aae7713df0bba265bb248948e741fa30b49312907162967780c34
Instruction Fuzzy Hash: 44019629B1A641D2FB044FE6F65C66892A2BBCDBD4F189035DE0A47705EE3CC0868700

Function 000002287BC33E10 Relevance: 10.5, APIs: 7, Instructions: 43threadnetworkCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 000002287BC33E2D
EnterCriticalSection.KERNEL32 ref: 000002287BC33E52
send.WS2_32 ref: 000002287BC33E64
GetLastError.KERNEL32 ref: 000002287BC33E6A
IsBadReadPtr.KERNEL32 ref: 000002287BC33E7A
ExitThread.KERNEL32 ref: 000002287BC33E86

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Read$CriticalEnterErrorExitLastSectionThreadsend
String ID:
API String ID: 4016372045-0
Opcode ID: 0cb937844fa9c00b9fa8bea4c611d7e8c3f40beeb7d681a97e4cbd93e78cb1ef
Instruction ID: 8509782d51122f6685e19a5f11edcdf5ce26f1b4ed814f37ec1e8214105267de
Opcode Fuzzy Hash: 0cb937844fa9c00b9fa8bea4c611d7e8c3f40beeb7d681a97e4cbd93e78cb1ef
Instruction Fuzzy Hash: E0016D26715A40D2FB809F62F85869AA361F7C9F88F589026EE4A83754DE38C896C740

Function 000002287BC12810 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC12832
GetSystemDirectoryW.KERNEL32 ref: 000002287BC12841
GetLastError.KERNEL32 ref: 000002287BC1284B
lstrcatW.KERNEL32 ref: 000002287BC1285D
VirtualFree.KERNEL32 ref: 000002287BC128A5

Strings

\svchost.exe -k netsvcs, xrefs: 000002287BC12851

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: DirectoryErrorFreeLastSystemVirtuallstrcatmemset
String ID: \svchost.exe -k netsvcs
API String ID: 1196864501-2993138014
Opcode ID: 3c54e76b755668cf6d3f4ee9d45539f6f3659440dcd46cb8989e19fc75b63e78
Instruction ID: e18d199d06b6f4bb8b4486ac3efb2bbd59974f6732c90ed61b15cc6c22e9f71e
Opcode Fuzzy Hash: 3c54e76b755668cf6d3f4ee9d45539f6f3659440dcd46cb8989e19fc75b63e78
Instruction Fuzzy Hash: 7F01B529212A45E2FB30DFA1E85C35AA362F7C5B58F108212C9AD436E4DF3CC24BCB40

Function 000002287BC1F440 Relevance: 10.1, APIs: 8, Instructions: 133memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC1F468
VirtualAlloc.KERNEL32 ref: 000002287BC1F48B
InitializeCriticalSection.KERNEL32 ref: 000002287BC1F49D
VirtualAlloc.KERNEL32 ref: 000002287BC1F4C2
VirtualAlloc.KERNEL32 ref: 000002287BC1F515
InitializeCriticalSection.KERNEL32 ref: 000002287BC1F527
VirtualFree.KERNEL32 ref: 000002287BC1F66E
VirtualFree.KERNEL32 ref: 000002287BC1F698

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$CriticalFreeInitializeSection
String ID:
API String ID: 2852478515-0
Opcode ID: c5cfcf3bffb5d7c89580759386092f93148ed843e36550bd311e222fef34503b
Instruction ID: 90e7f19decf347dfefe548c00b887c82710715b14574a478eab284e257777dcf
Opcode Fuzzy Hash: c5cfcf3bffb5d7c89580759386092f93148ed843e36550bd311e222fef34503b
Instruction Fuzzy Hash: 2D61FA79203F44A5F705CF61E488389B3AAFB88B44FA4813ADA8D57768EF38C556C350

Function 000002287BC2F340 Relevance: 9.1, APIs: 6, Instructions: 86memorystringCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC2F3A6
VirtualAlloc.KERNEL32 ref: 000002287BC2F3E6
NetUserSetInfo.NETAPI32 ref: 000002287BC2F420
VirtualFree.KERNEL32 ref: 000002287BC2F433
lstrcmpiW.KERNEL32 ref: 000002287BC2F448
VirtualFree.KERNEL32 ref: 000002287BC2F45D

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocFree$InfoUserlstrcmpi
String ID:
API String ID: 4244901044-0
Opcode ID: ffb3443bbac70228aa897f474ce45adbdc9e97f2773668571b4a4edc2f42a8ff
Instruction ID: f487916e27493af500ce230b2ee72a20367302e17d03fbdf4382ee665bc7e98c
Opcode Fuzzy Hash: ffb3443bbac70228aa897f474ce45adbdc9e97f2773668571b4a4edc2f42a8ff
Instruction Fuzzy Hash: 2631847931674493FB148FA2E94875AE7A2EB89FD5F148028DD4A47798DF7CC48ACB00

Function 000002287BC35700 Relevance: 9.1, APIs: 6, Instructions: 82synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 000002287BC35739
memset.NTDLL ref: 000002287BC35763
WaitForSingleObject.KERNEL32 ref: 000002287BC3576E
memcpy.NTDLL ref: 000002287BC35793
memcpy.NTDLL ref: 000002287BC357C4
SetEvent.KERNEL32 ref: 000002287BC35801

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ObjectSingleWaitmemcpy$Eventmemset
String ID:
API String ID: 2578485326-0
Opcode ID: 593d3bfb47ea6c412de529a8b649e62841a5da6e6762aa89e932a4b07bb049f8
Instruction ID: e3c16159e714babfe944739665cbb5965a31fd544d8c633ef40c22736871c25d
Opcode Fuzzy Hash: 593d3bfb47ea6c412de529a8b649e62841a5da6e6762aa89e932a4b07bb049f8
Instruction Fuzzy Hash: EF31D62A71560092F730DFB6E44879EEA62FBC57D4FA08411EB9E87A85DE78C4839301

Function 000002287BC2E820 Relevance: 9.1, APIs: 6, Instructions: 72memorywindowCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?,?,00000000,00000000,000002287BC2EC55), ref: 000002287BC2E85D
GetDC.USER32 ref: 000002287BC2E8B7
CreateCompatibleBitmap.GDI32 ref: 000002287BC2E8C9
GetDIBits.GDI32 ref: 000002287BC2E8ED
ReleaseDC.USER32 ref: 000002287BC2E8F8
DeleteObject.GDI32 ref: 000002287BC2E901

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: AllocBitmapBitsCompatibleCreateDeleteObjectReleaseVirtual
String ID:
API String ID: 1942853633-0
Opcode ID: 13579db701cc3f9648d3d847a457af4c41c6300500b32a6bdf374a6fdac0f19d
Instruction ID: 02b1f79d3fbf455210ec1f9847b84fb6fae3479b569b316bd412632bffe16108
Opcode Fuzzy Hash: 13579db701cc3f9648d3d847a457af4c41c6300500b32a6bdf374a6fdac0f19d
Instruction Fuzzy Hash: AE21DE7621178083EB089F66B91861DBAA1FBC9BD0F55812EDE8653BA0CF38C0428B04

Function 000002287BC21D40 Relevance: 9.1, APIs: 6, Instructions: 61networkCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 000002287BC21D69
WSASend.WS2_32 ref: 000002287BC21DC7
WSAGetLastError.WS2_32 ref: 000002287BC21DCD
WaitForMultipleObjects.KERNEL32 ref: 000002287BC21DEE
WSAGetOverlappedResult.WS2_32 ref: 000002287BC21E14
WSAGetLastError.WS2_32 ref: 000002287BC21E1A

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleObjectsOverlappedResultSendWait
String ID:
API String ID: 2744466595-0
Opcode ID: f4a1bc1cac240b64085eebbab03949733171f532d965439b73487b32c39e4c9c
Instruction ID: fd41a50dc3e14e48316ce5a8e77aa155617a015c7b9c3c37a730af87447bb20b
Opcode Fuzzy Hash: f4a1bc1cac240b64085eebbab03949733171f532d965439b73487b32c39e4c9c
Instruction Fuzzy Hash: 1A215136209B80D7E7208F65F948A4EF7A5F7C9794F508126DA8943F28DF78C55ACB00

Function 000002287BC27F40 Relevance: 9.1, APIs: 6, Instructions: 56filesleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000002287BC27F60
CreateFileW.KERNEL32 ref: 000002287BC27F8F
GetLastError.KERNEL32 ref: 000002287BC27FA0
GetTickCount.KERNEL32 ref: 000002287BC27FB4
Sleep.KERNEL32 ref: 000002287BC27FC8
CreateFileW.KERNEL32 ref: 000002287BC27FF2

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CountCreateFileTick$ErrorLastSleep
String ID:
API String ID: 2478964991-0
Opcode ID: 1fa91be5546011857bb5268aae10dbfd336c52318b51f8d73b8f7a40f7e50af3
Instruction ID: 255dd7772d33f572d8668017f63450d28e991ad7240618890c7ee8b3f3c0ecc0
Opcode Fuzzy Hash: 1fa91be5546011857bb5268aae10dbfd336c52318b51f8d73b8f7a40f7e50af3
Instruction Fuzzy Hash: 8D219535205B4096F3608FA0B95C75AB691F7C87B8F248722D6A583BD4DF38C4468700

Function 000002287BC10320 Relevance: 8.9, APIs: 7, Instructions: 132COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 000002287BC1037C
free.MSVCRT ref: 000002287BC103CC
free.MSVCRT ref: 000002287BC1041C
free.MSVCRT ref: 000002287BC1046C
free.MSVCRT ref: 000002287BC1049B
free.MSVCRT ref: 000002287BC104BD
free.MSVCRT ref: 000002287BC104FB

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 00841f5d62244bb9ad7474d482c6f0d074869daa416a1b9df4e920309b030068
Instruction ID: 83dcd7c400e203daca91d04045a4e170eafc7c825e0303ec4e3dcf6cc0b34180
Opcode Fuzzy Hash: 00841f5d62244bb9ad7474d482c6f0d074869daa416a1b9df4e920309b030068
Instruction Fuzzy Hash: 1051BA7A213B48E1FA508F99E588318B3A6E788F98F78D416DA8D63754DF75C4A2C310

Function 000002287BC1DAF0 Relevance: 8.9, APIs: 7, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC1DB19
VirtualFree.KERNEL32 ref: 000002287BC1DBE6
VirtualFree.KERNEL32 ref: 000002287BC1DC10
CloseHandle.KERNEL32 ref: 000002287BC1DC25
VirtualFree.KERNEL32 ref: 000002287BC1DC58
VirtualFree.KERNEL32 ref: 000002287BC1DC82
VirtualFree.KERNEL32 ref: 000002287BC1DC97

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC1458D
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC145BF
Part of subcall function 000002287BC14570: InitializeCriticalSection.KERNEL32 ref: 000002287BC145D4
Part of subcall function 000002287BC14570: IsBadReadPtr.KERNEL32 ref: 000002287BC145F0
Part of subcall function 000002287BC14570: EnterCriticalSection.KERNEL32 ref: 000002287BC14603
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC1461A
Part of subcall function 000002287BC14570: LeaveCriticalSection.KERNEL32 ref: 000002287BC14649
Part of subcall function 000002287BC14570: IsBadReadPtr.KERNEL32 ref: 000002287BC1465E
Part of subcall function 000002287BC14570: EnterCriticalSection.KERNEL32 ref: 000002287BC14671
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC14688
Part of subcall function 000002287BC14570: LeaveCriticalSection.KERNEL32 ref: 000002287BC146B7
Part of subcall function 000002287BC14570: IsBadReadPtr.KERNEL32 ref: 000002287BC146CC
Part of subcall function 000002287BC14570: EnterCriticalSection.KERNEL32 ref: 000002287BC146DF
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC146F6

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterRead$Free$Leave$Initialize$CloseHandle
String ID:
API String ID: 1803526796-0
Opcode ID: 69801f64ede04bbea7cc69c2b4859a8af001f84668aa4b53a985770f8a0b9a64
Instruction ID: 619dff94445c94ce01d202d1ce236dfcd90b8811b56d5cdd3ea644e65e1e5a3e
Opcode Fuzzy Hash: 69801f64ede04bbea7cc69c2b4859a8af001f84668aa4b53a985770f8a0b9a64
Instruction Fuzzy Hash: 74513F39202B4092FB64CF92F45875AB3A6FBC9B90F54C125CA9E43B64EF38D052C740

Function 000002287BC10720 Relevance: 7.7, APIs: 6, Instructions: 168COMMON

Download Yara Rule

APIs

memcpy.NTDLL ref: 000002287BC107F2
memcpy.NTDLL ref: 000002287BC10810
memcpy.NTDLL ref: 000002287BC108F3

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: b724fa2a07575d1f2e0ebca6cf9c5d14953e58695853448362fc9f09176e4fc8
Instruction ID: 8c4503da65eb1f4335b20b1686aaf4540657cad2189c5814fae5715045633e2a
Opcode Fuzzy Hash: b724fa2a07575d1f2e0ebca6cf9c5d14953e58695853448362fc9f09176e4fc8
Instruction Fuzzy Hash: 7A61BE7A206B849AFB20CFA5E44875DB3A6FB88B94F69C025CE5D53B94EF34C442C750

Function 000002287BC24330 Relevance: 7.6, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC24383
VirtualFree.KERNEL32 ref: 000002287BC243AD
VirtualAlloc.KERNEL32 ref: 000002287BC243C4
InitializeCriticalSection.KERNEL32 ref: 000002287BC2444E
VirtualFree.KERNEL32 ref: 000002287BC244D3
VirtualFree.KERNEL32 ref: 000002287BC244FD

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$InitializeLeave
String ID:
API String ID: 2124124174-0
Opcode ID: 327538bf83d39be03c92c6611fd246348e0e96911acdfefe4918cf67a76a0f69
Instruction ID: a685b6cca487e3299b163fbfbe5807e83498dece01a890fde909b6056d60fe23
Opcode Fuzzy Hash: 327538bf83d39be03c92c6611fd246348e0e96911acdfefe4918cf67a76a0f69
Instruction Fuzzy Hash: 71515C3A202B4096FB60CF92F458B59B3AAFB89B84F558129CE8D43B14EF38D095C740

Function 000002287BC2EFB0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

Part of subcall function 000002287BC2C7F0: WTSEnumerateSessionsW.WTSAPI32 ref: 000002287BC2C82F

Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1364B
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1365D
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13670
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13687
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136B6
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC136C8
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136DB
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136F2
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13721
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13733
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13746
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1375D
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1378C
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1379E
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC137B4

VirtualFree.KERNEL32 ref: 000002287BC2F054
VirtualFree.KERNEL32 ref: 000002287BC2F07E
VirtualFree.KERNEL32 ref: 000002287BC2F0B6
VirtualFree.KERNEL32 ref: 000002287BC2F0E0

Strings

@, xrefs: 000002287BC2F007

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$EnumerateInitializeSessions
String ID: @
API String ID: 3635408051-3454712805
Opcode ID: b0c86a4cab25e2652359a583b6c9b9f4367b00505ec8be9c526b7c58144f271c
Instruction ID: 22bd8706f99605c725943f4ea0c9d294bc67abc07fe4fde1104b14b8130cd5fc
Opcode Fuzzy Hash: b0c86a4cab25e2652359a583b6c9b9f4367b00505ec8be9c526b7c58144f271c
Instruction Fuzzy Hash: 6E314136702B4096EB64DF63E55861EB7A6FBC9B84B148025DF8A53F14DF39C0A68B04

Function 000002287BC1589B Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC1592B
VirtualFree.KERNEL32 ref: 000002287BC15955
VirtualFree.KERNEL32 ref: 000002287BC15D08
VirtualFree.KERNEL32 ref: 000002287BC15D32

Part of subcall function 000002287BC2BCB0: memcpy.NTDLL ref: 000002287BC2BCD5
Part of subcall function 000002287BC2BCB0: memset.NTDLL ref: 000002287BC2BD6A
Part of subcall function 000002287BC2BCB0: wsprintfW.USER32 ref: 000002287BC2BD89
Part of subcall function 000002287BC2BCB0: SetFileAttributesW.KERNEL32 ref: 000002287BC2BD99
Part of subcall function 000002287BC2BCB0: DeleteFileW.KERNEL32 ref: 000002287BC2BDA4
Part of subcall function 000002287BC2BCB0: CreateFileW.KERNEL32 ref: 000002287BC2BDD4
Part of subcall function 000002287BC2BCB0: GetLastError.KERNEL32 ref: 000002287BC2BDE3
Part of subcall function 000002287BC2BCB0: SetFileAttributesW.KERNEL32 ref: 000002287BC2BE30

Strings

192.197.113.45, xrefs: 000002287BC1590F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$FileFree$EnterRead$AttributesLeave$CreateDeleteErrorInitializeLastmemcpymemsetwsprintf
String ID: 192.197.113.45
API String ID: 3047218378-820838125
Opcode ID: 2b6defab8ed644ac50e923dc36a15746bf9641cd2956f56d6c7c39fb03cb3d69
Instruction ID: 065dccf78086f24ed9189b7a9e03a39280d4cb46cf21c8440df59f47842e6632
Opcode Fuzzy Hash: 2b6defab8ed644ac50e923dc36a15746bf9641cd2956f56d6c7c39fb03cb3d69
Instruction Fuzzy Hash: F631A126712A4082FB64DFA7E45C76EA3A6FBC9B90F12C1158F8A43B54DF38C1868700

Function 000002287BC157C8 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC15866
VirtualFree.KERNEL32 ref: 000002287BC15890
VirtualFree.KERNEL32 ref: 000002287BC15D08
VirtualFree.KERNEL32 ref: 000002287BC15D32

Strings

192.197.113.45, xrefs: 000002287BC15822

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initialize
String ID: 192.197.113.45
API String ID: 696443088-820838125
Opcode ID: 7f8cadc7e285ae11971a4ac663658132d71a4b6ccc16da7a7032d0ef10562ca5
Instruction ID: e3d0958f2883c9962eabb4857ba500ca4b44f9e631fb58d9f18776576dee23a0
Opcode Fuzzy Hash: 7f8cadc7e285ae11971a4ac663658132d71a4b6ccc16da7a7032d0ef10562ca5
Instruction Fuzzy Hash: DD315C3A602B4196FB24DF96E55C71AA3A6FBC5B80F21C0168F8603B64DF39C0868B00

Function 000002287BC4E640 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,000002287BC411BF), ref: 000002287BC4E71E

Strings

%s: OOM, xrefs: 000002287BC4E6AF
lws_buflist_append_segment, xrefs: 000002287BC4E692, 000002287BC4E6A8, 000002287BC4E6C3, 000002287BC4E6E2
%s: buflist reached sanity limit, xrefs: 000002287BC4E6EE
%s: corrupt list points to self, xrefs: 000002287BC4E6CF

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: memcpy
String ID: %s: OOM$%s: buflist reached sanity limit$%s: corrupt list points to self$lws_buflist_append_segment
API String ID: 3510742995-575834517
Opcode ID: ba9ff21200fa1422aea39c90e6c7c80ef22b648ed25b9cfedbdff520b8680236
Instruction ID: c15604c85300388005b9e92972b4546f0daa40418a6e509d3a938977dfe207bb
Opcode Fuzzy Hash: ba9ff21200fa1422aea39c90e6c7c80ef22b648ed25b9cfedbdff520b8680236
Instruction Fuzzy Hash: D921D13A206B45A0FA148F95E408399BBA6F788BE4FA5C116EA4D037E4DF38C646C340

Function 000002287BC1DCC0 Relevance: 7.6, APIs: 5, Instructions: 57stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 000002287BC1DCE5
lstrcatW.KERNEL32 ref: 000002287BC1DD0C

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

Part of subcall function 000002287BC1C9B0: memset.NTDLL ref: 000002287BC1C9F5
Part of subcall function 000002287BC1C9B0: lstrcatW.KERNEL32 ref: 000002287BC1CA04
Part of subcall function 000002287BC1C9B0: lstrcatW.KERNEL32 ref: 000002287BC1CA18
Part of subcall function 000002287BC1C9B0: memset.NTDLL ref: 000002287BC1CA2B
Part of subcall function 000002287BC1C9B0: FindFirstFileW.KERNEL32 ref: 000002287BC1CA3C
Part of subcall function 000002287BC1C9B0: FindNextFileW.KERNEL32 ref: 000002287BC1CA95
Part of subcall function 000002287BC1C9B0: FindNextFileW.KERNEL32 ref: 000002287BC1CAF9

VirtualFree.KERNEL32 ref: 000002287BC1DD53
VirtualFree.KERNEL32 ref: 000002287BC1DD7D
free.MSVCRT ref: 000002287BC1DD86

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterFileFindReadlstrcat$FreeLeaveNextmemset$FirstInitializefreemalloc
String ID:
API String ID: 2817660952-0
Opcode ID: d7ce884ec659c7e0cc6de19210e011dca56ab10a28334d10c45262fb231a6201
Instruction ID: 1478afd6dd9adc8f0cc3d3587572783bc38c1df3624fd0ea45f5f608a7cce508
Opcode Fuzzy Hash: d7ce884ec659c7e0cc6de19210e011dca56ab10a28334d10c45262fb231a6201
Instruction Fuzzy Hash: 4121F335302A8095FB14DF93E85C75AA7A5F7C9FC4F18C0259E8947B58DE38C1428740

Function 000002287BC238A0 Relevance: 7.5, APIs: 5, Instructions: 28synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 000002287BC238C2
CloseHandle.KERNEL32 ref: 000002287BC238D0
WaitForSingleObject.KERNEL32 ref: 000002287BC238DF
GetCurrentProcess.KERNEL32 ref: 000002287BC238E9
TerminateProcess.KERNEL32 ref: 000002287BC238F4

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleObjectSingleTerminateThreadWait
String ID:
API String ID: 603326088-0
Opcode ID: f1eee888be949acee3f31b447f91f8061928013f2e1e1d50efeb43abaeb1e76c
Instruction ID: 8fb3026d2ff48ab9c20c66ff22ac67f68748f74485946dd4d468574d552a8df7
Opcode Fuzzy Hash: f1eee888be949acee3f31b447f91f8061928013f2e1e1d50efeb43abaeb1e76c
Instruction Fuzzy Hash: B9F0546971260096FB148FF1AD0C755A3A2BBC9B58F68852A8C1987350FE3CC0438610

Function 000002287BC42830 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC428AC
_unlink.MSVCRT ref: 000002287BC42AC0
memset.NTDLL ref: 000002287BC42B07

Strings

lws_free, xrefs: 000002287BC429D5, 000002287BC42A18, 000002287BC42A2D, 000002287BC42A60, 000002287BC42B0C

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: memset$_unlink
String ID: lws_free
API String ID: 1884818752-2419506585
Opcode ID: 2b4d076a4aee2642aadf0ee658338696a0446662a2dd93154b02c4e920f709c8
Instruction ID: 3722b066a55df1de7737014dbae6f1886a9b52f8a9a04596f0fee2275f65d838
Opcode Fuzzy Hash: 2b4d076a4aee2642aadf0ee658338696a0446662a2dd93154b02c4e920f709c8
Instruction Fuzzy Hash: 62815D3A212B85A4FB648F55D4493ADABA2F7D4B98F688435CE4D4B394DF34C652C310

Function 000002287BC46090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC460E8
_time64.MSVCRT ref: 000002287BC4613C

Strings

%s: calling service, xrefs: 000002287BC46177
__lws_header_table_reset, xrefs: 000002287BC46169

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: _time64memset
String ID: %s: calling service$__lws_header_table_reset
API String ID: 899224009-1639372703
Opcode ID: 3f6baea8b054f78f6fa319b1d3ed3b6a3e783d16ad0033a8b6aaf7f4e8f9a2f0
Instruction ID: 372d8e93bb27677d287387941470f2981fee7ee7e18b9fea640963b9eef451f5
Opcode Fuzzy Hash: 3f6baea8b054f78f6fa319b1d3ed3b6a3e783d16ad0033a8b6aaf7f4e8f9a2f0
Instruction Fuzzy Hash: 1531AF22A05BC092E745CF61D5843ECBB65F799F58F289236DF584B29ADF34C2A2C310

Function 000002287BC13000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 000002287BC13027
GetLastError.KERNEL32 ref: 000002287BC1309F
SysAllocString.OLEAUT32 ref: 000002287BC130BD

Strings

\Microsoft\Windows, xrefs: 000002287BC130B6

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: AllocErrorInitLastStringVariant
String ID: \Microsoft\Windows
API String ID: 3210815728-1732172413
Opcode ID: 004125f1d84ecdb5e7494dadc9ab5b49c7bed4fc4b6bdfb48350d005c5d9828e
Instruction ID: 6b1b072be70a2baafb77d9502bc9e94023f2456d826ddcf0b24bd7aab344a62c
Opcode Fuzzy Hash: 004125f1d84ecdb5e7494dadc9ab5b49c7bed4fc4b6bdfb48350d005c5d9828e
Instruction Fuzzy Hash: D5215026A18EC5D2E7218F64F4043DAB371FBD9B84F149212EB8952619EF3DC186CB00

Function 000002287BC25F40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 000002287BC25F88
VirtualFree.KERNEL32 ref: 000002287BC25F9E
VirtualFree.KERNEL32 ref: 000002287BC25FD4

Strings

boom..., xrefs: 000002287BC25F7C

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: FreeVirtual$Message
String ID: boom...
API String ID: 3815264287-1338744694
Opcode ID: c9ebd0a2e4eeb3f5d586c4b2e0509e2165f08feab2920f0ec1c204795427f359
Instruction ID: 86a6fbbe12c05f3333ccfca12d939a56dfcf33e8da162f91e128b2d7bcaf4062
Opcode Fuzzy Hash: c9ebd0a2e4eeb3f5d586c4b2e0509e2165f08feab2920f0ec1c204795427f359
Instruction Fuzzy Hash: 8D11C825712B4082FB54DFB2E51835AB3A1FBDDF48F14D215998A46654EF3CC1C5C700

Function 000002287BC37FE0 Relevance: 6.5, APIs: 5, Instructions: 299COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,00000000,000002287BC394E8,?,00000000,?,000002287BC36596), ref: 000002287BC3811C
memcpy.NTDLL ref: 000002287BC381A1
memcpy.NTDLL(?,?,00000000,000002287BC394E8,?,00000000,?,000002287BC36596), ref: 000002287BC381DD
memcpy.NTDLL(?,?,00000000,000002287BC394E8,?,00000000,?,000002287BC36596), ref: 000002287BC38219
memcpy.NTDLL(?,?,00000000,000002287BC394E8,?,00000000,?,000002287BC36596), ref: 000002287BC382CD

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 966f0709295554856f31a4ecd688e8bb2fc6d7ab78357df849f83103014d210d
Instruction ID: fc3534aed9154fc3a043b7f3f63d51bc55b68bf2d556349b8c7d5d1869f27250
Opcode Fuzzy Hash: 966f0709295554856f31a4ecd688e8bb2fc6d7ab78357df849f83103014d210d
Instruction Fuzzy Hash: D0D14A76705650ABEB18CE69C38839DB7A2F788B80F608119DB1E83750DF31E872DB41

Function 000002287BC1B5C0 Relevance: 6.3, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC1B60B
VirtualFree.KERNEL32 ref: 000002287BC1B635
memset.NTDLL ref: 000002287BC1B656
VirtualFree.KERNEL32 ref: 000002287BC1B6A6
VirtualFree.KERNEL32 ref: 000002287BC1B6D0

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initializememset
String ID:
API String ID: 3460648485-0
Opcode ID: b1e2dd2b0cc1a51acca87de263e3f1097b3bea1bd002cb5d7cfe503a6461ace1
Instruction ID: 10b7574bfadf2291a6161cf2e68f5ee7cb286ed3029c74f4d6b5c472d9bb34b1
Opcode Fuzzy Hash: b1e2dd2b0cc1a51acca87de263e3f1097b3bea1bd002cb5d7cfe503a6461ace1
Instruction Fuzzy Hash: 23316336301A9096FB24DF93E558399A3A2FBCDB81F5480248F8A47F54DF38D1568B00

Function 000002287BC1CD30 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000002287BC1CD5A

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC1CD95
VirtualFree.KERNEL32 ref: 000002287BC1CDBF
VirtualFree.KERNEL32 ref: 000002287BC1CDE9
VirtualFree.KERNEL32 ref: 000002287BC1CE13

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initializememset
String ID:
API String ID: 3460648485-0
Opcode ID: 2f1d990fb7f5200c509fea68be84fd40bc5b4beb197a41457c29c039dd3f6c4c
Instruction ID: b88998b7334d450f36bd527372ffecdba5ec4ce2fdf7503c15f9fc90ef8344ff
Opcode Fuzzy Hash: 2f1d990fb7f5200c509fea68be84fd40bc5b4beb197a41457c29c039dd3f6c4c
Instruction Fuzzy Hash: 00315026302B4096FB64DFA3E55875AA7A2FBC9B80F14C0259F8A43F54DF38D1568740

Function 000002287BC3CF50 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 315COMMON

Download Yara Rule

Strings

lws_free, xrefs: 000002287BC3D40E
free, xrefs: 000002287BC3D3AD
ctx destroy, xrefs: 000002287BC3D077

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID:
String ID: ctx destroy$free$lws_free
API String ID: 0-48050916
Opcode ID: 7fa3de8879873fad443575716613c66aa7123479f2bfe21c7ca70ad3f37d6207
Instruction ID: 6da2347e839f71abbe0839dd8f25c00cd118b69456a78bc8059261a92f034ba9
Opcode Fuzzy Hash: 7fa3de8879873fad443575716613c66aa7123479f2bfe21c7ca70ad3f37d6207
Instruction Fuzzy Hash: 83D1D02A302680A2FA5D9FA185483EDB7A2F785B84FA4C021CF5D07399DF38D567D741

Function 000002287BC3F550 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

atoi.MSVCRT ref: 000002287BC3F6A0

Strings

wss, xrefs: 000002287BC3F617
http, xrefs: 000002287BC3F595
https, xrefs: 000002287BC3F5F4

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: atoi
String ID: http$https$wss
API String ID: 657269090-1519134247
Opcode ID: 9eeca8da3c80b5b96a7f61831c2102cba9482959941df2d328073ffda5aa503d
Instruction ID: 1ecaa81f9625789bd54d98bf455515f01b7266070fc7727c42f4fec337dde0e6
Opcode Fuzzy Hash: 9eeca8da3c80b5b96a7f61831c2102cba9482959941df2d328073ffda5aa503d
Instruction Fuzzy Hash: DC51B75A10A6C464FF624FA59418378BBFA9396748FECC452C2C9472E1CE68C897A713

Function 000002287BC2DF00 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

WaitForMultipleObjects.KERNEL32 ref: 000002287BC2DF51
WaitForMultipleObjects.KERNEL32 ref: 000002287BC2E01D
VirtualFree.KERNEL32 ref: 000002287BC2E05C
VirtualFree.KERNEL32 ref: 000002287BC2E086

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeaveMultipleObjectsWait$Initialize
String ID:
API String ID: 1197094596-0
Opcode ID: 671951f809ac83284af79a78fb7cb8fe62f641a4fc956cbe7a2945372862514e
Instruction ID: d8525cc5d33f39a5a2dc5980d64c8e9970a8e641406fc7991442cdb92dd7bebe
Opcode Fuzzy Hash: 671951f809ac83284af79a78fb7cb8fe62f641a4fc956cbe7a2945372862514e
Instruction Fuzzy Hash: 5641C276701B8182EB64CF62E44875EB3A1FBC9F84F549125CE8A53B48DF39C486CB00

Function 000002287BC56510 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,Unable to connect,000002287BC59F78), ref: 000002287BC56603
memcpy.NTDLL(?,?,Unable to connect,000002287BC59F78), ref: 000002287BC56621

Strings

Unable to connect, xrefs: 000002287BC5651F
lws_conmon_append_copy_new_dns_results, xrefs: 000002287BC565C9

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: memcpy
String ID: Unable to connect$lws_conmon_append_copy_new_dns_results
API String ID: 3510742995-4193639203
Opcode ID: 5b6b6604168f5fbc7e77e4d139dea46a732115e70d7a857e129689a9258bb8a8
Instruction ID: 110350aa1ecd519ad5c2a7f394ea01a1293268657ab8ab381aa379a8be36161a
Opcode Fuzzy Hash: 5b6b6604168f5fbc7e77e4d139dea46a732115e70d7a857e129689a9258bb8a8
Instruction Fuzzy Hash: ED41B076602B8092FB64CF55D1402A8B7A2FBA8B88F79C235DB5D47799DF30C892C340

Function 000002287BC2F110 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000002287BC2F134
ProcessIdToSessionId.KERNEL32 ref: 000002287BC2F141

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC2F1F4
VirtualFree.KERNEL32 ref: 000002287BC2F21E

Part of subcall function 000002287BC170C0: GetCurrentProcessId.KERNEL32 ref: 000002287BC1713B
Part of subcall function 000002287BC170C0: ProcessIdToSessionId.KERNEL32 ref: 000002287BC1714B
Part of subcall function 000002287BC170C0: CreateToolhelp32Snapshot.KERNEL32 ref: 000002287BC17174
Part of subcall function 000002287BC170C0: GetProcessHeap.KERNEL32 ref: 000002287BC17183
Part of subcall function 000002287BC170C0: HeapAlloc.KERNEL32 ref: 000002287BC17196
Part of subcall function 000002287BC170C0: CloseHandle.KERNEL32 ref: 000002287BC171A7
Part of subcall function 000002287BC170C0: WTSGetActiveConsoleSessionId.KERNEL32 ref: 000002287BC171B6
Part of subcall function 000002287BC170C0: VirtualFree.KERNEL32 ref: 000002287BC17316
Part of subcall function 000002287BC170C0: VirtualFree.KERNEL32 ref: 000002287BC17340

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$Process$Free$EnterReadSession$CurrentHeapLeave$ActiveCloseConsoleCreateHandleInitializeSnapshotToolhelp32
String ID:
API String ID: 1320018004-0
Opcode ID: e59b582023561e424faacd75e761e69e18ae19866826c206d5164854da140dd4
Instruction ID: df26da33805c36c00b107b629c375f8e668f3d76d343d81f723ab34e6ac5bec7
Opcode Fuzzy Hash: e59b582023561e424faacd75e761e69e18ae19866826c206d5164854da140dd4
Instruction Fuzzy Hash: D731707A31265092FB64DF92E54865DB3A6FBC9F84F649026EA4643B48DF38C885CB00

Function 000002287BC34500 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC3455F
SetEvent.KERNEL32 ref: 000002287BC345A0
VirtualFree.KERNEL32 ref: 000002287BC345E9
VirtualFree.KERNEL32 ref: 000002287BC34614

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$AllocEvent
String ID:
API String ID: 2763048252-0
Opcode ID: 3aff6a2bc12951325e0be6d6246298fd01b4affd9be8b45f9f688c5d9c2fce65
Instruction ID: 2970a82a1b01d78778365b907d88c69e99798b28f34f576648fef9057ea90334
Opcode Fuzzy Hash: 3aff6a2bc12951325e0be6d6246298fd01b4affd9be8b45f9f688c5d9c2fce65
Instruction Fuzzy Hash: 2B31B639705A4091F7649F639D0C76DD2A2EBC6FD4F68C121DE1E8B794DE34C4829741

Function 000002287BC13120 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

ceil.MSVCRT ref: 000002287BC13150
VirtualAlloc.KERNEL32 ref: 000002287BC13182
memcpy.NTDLL ref: 000002287BC131C6
VirtualFree.KERNEL32 ref: 000002287BC131D6

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocFreeceilmemcpy
String ID:
API String ID: 941304502-0
Opcode ID: aa02d3703279443325f506a1bf07665e7c387f2924f8bb4d9bc78ef500e723e2
Instruction ID: c5092675512d2b297da0eb4c05c5f0a515d0d07046a7fe2af5cdb76a1cf2cee6
Opcode Fuzzy Hash: aa02d3703279443325f506a1bf07665e7c387f2924f8bb4d9bc78ef500e723e2
Instruction Fuzzy Hash: E021D876716A409AFB55DF7AF444259E362E7C8F88F398121EA49A7748DE34C8838B40

Function 000002287BC23650 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000002287BC2366D
ProcessIdToSessionId.KERNEL32 ref: 000002287BC2367A

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC2370E
VirtualFree.KERNEL32 ref: 000002287BC23738

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeaveProcess$CurrentInitializeSession
String ID:
API String ID: 3327369976-0
Opcode ID: 8fe99082cdae3a9e30e841bfdc69ee1846fc745c304454db74bd1759a6bbbd42
Instruction ID: f51f3bb4a1ebd64c3cbc41c203f06b5d1fb4d3cbf2d9a6b5ce5e3e2d3f38c05c
Opcode Fuzzy Hash: 8fe99082cdae3a9e30e841bfdc69ee1846fc745c304454db74bd1759a6bbbd42
Instruction Fuzzy Hash: D7315A36615B409BEB24DF66E44860AB3A1F7C8B84F148126EB8A43F18DF3CD586CB00

Function 000002287BC2A7A0 Relevance: 6.1, APIs: 4, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

CreateThread.KERNEL32 ref: 000002287BC2A812
CloseHandle.KERNEL32 ref: 000002287BC2A820
VirtualFree.KERNEL32 ref: 000002287BC2A83C
VirtualFree.KERNEL32 ref: 000002287BC2A866

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeave$CloseCreateHandleInitializeThread
String ID:
API String ID: 4031785131-0
Opcode ID: 104d806567fdcd85642fefcdb739ee4b48d93606346f75523f9cac813997760f
Instruction ID: 05d98b3bebf9e63d8130233bd060742ebe9daec8bacc78b03432664c117939de
Opcode Fuzzy Hash: 104d806567fdcd85642fefcdb739ee4b48d93606346f75523f9cac813997760f
Instruction Fuzzy Hash: A2213D65705A5082FB24CF93A55821AE7A2FBCEFD0F588029DF8A43B54DF38C1968B40

Function 000002287BC353D0 Relevance: 6.0, APIs: 4, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 000002287BC353F8
WaitForSingleObject.KERNEL32 ref: 000002287BC35419
SetEvent.KERNEL32 ref: 000002287BC35439
SetEvent.KERNEL32 ref: 000002287BC35450

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Event$ObjectSingleWait
String ID:
API String ID: 2127046782-0
Opcode ID: d9cee7e685b0bc662f9006c456bafce61a487c53f32dd4a5ca0d5d6ca8d50314
Instruction ID: bb577847279faafab24663a60044126d338f8ac8d8fecdfc25bb8d20bb84d606
Opcode Fuzzy Hash: d9cee7e685b0bc662f9006c456bafce61a487c53f32dd4a5ca0d5d6ca8d50314
Instruction Fuzzy Hash: 7B01842671554092FBE58FAAF94C51DA7A2F7C8FD4F648012CB0E47768DE28C8869701

Function 000002287BC23040 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCursorInfo.USER32 ref: 000002287BC23065
GetCursorPos.USER32 ref: 000002287BC23072
GetTickCount.KERNEL32 ref: 000002287BC23078
OpenProcess.KERNEL32 ref: 000002287BC230A1

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Cursor$CountInfoOpenProcessTick
String ID:
API String ID: 1051838312-0
Opcode ID: c02446f8e49884ebd47f9a3d382b2d07e3b67b817a508dd3f35da843066d32bd
Instruction ID: 2da3004a99791af23041b5d351e61d6d22a1cc3f4d3255ff376f8250f18f9ed6
Opcode Fuzzy Hash: c02446f8e49884ebd47f9a3d382b2d07e3b67b817a508dd3f35da843066d32bd
Instruction Fuzzy Hash: E6F08172612A41D3F7049FB1E90C269B3A2FBD9B4DF548226D64A43254EF3CC596C740

Function 000002287BC35920 Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 000002287BC3592E
CancelIo.KERNEL32 ref: 000002287BC35940
closesocket.WS2_32 ref: 000002287BC35949
SetEvent.KERNEL32 ref: 000002287BC3595F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CancelEventReadclosesocket
String ID:
API String ID: 2025173275-0
Opcode ID: a39ff010f733aba4229b8f91559e7ac0612ab47a0097d267e08433f80249d3af
Instruction ID: f04c25fe4d3faf899549cabb22c341fe2dea13a9c255668b7e1ee0280b473d6c
Opcode Fuzzy Hash: a39ff010f733aba4229b8f91559e7ac0612ab47a0097d267e08433f80249d3af
Instruction Fuzzy Hash: 1EE0C029203A01D1FF155FF1D46C724A391ABC5F79F6887158A7A472D4DE28C4879311

Function 000002287BC1AAF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetRawInputData.USER32 ref: 000002287BC1AB4C

Part of subcall function 000002287BC1A020: __chkstk.NTDLL ref: 000002287BC1A032
Part of subcall function 000002287BC1A020: lstrlenW.KERNEL32 ref: 000002287BC1A04B
Part of subcall function 000002287BC1A020: memset.NTDLL ref: 000002287BC1A073
Part of subcall function 000002287BC1A020: memset.NTDLL ref: 000002287BC1A093
Part of subcall function 000002287BC1A020: GetForegroundWindow.USER32 ref: 000002287BC1A098
Part of subcall function 000002287BC1A020: GetWindowTextW.USER32 ref: 000002287BC1A0B3
Part of subcall function 000002287BC1A020: GetWindowThreadProcessId.USER32 ref: 000002287BC1A0C7
Part of subcall function 000002287BC1A020: ProcessIdToSessionId.KERNEL32 ref: 000002287BC1A0F0
Part of subcall function 000002287BC1A020: memset.NTDLL ref: 000002287BC1A105
Part of subcall function 000002287BC1A020: lstrlenW.KERNEL32 ref: 000002287BC1A123
Part of subcall function 000002287BC1A020: GetLocalTime.KERNEL32 ref: 000002287BC1A136
Part of subcall function 000002287BC1A020: wsprintfW.USER32 ref: 000002287BC1A19E
Part of subcall function 000002287BC1A020: lstrlenW.KERNEL32 ref: 000002287BC1A1AB
Part of subcall function 000002287BC1A020: lstrlenA.KERNEL32 ref: 000002287BC1A1F1
Part of subcall function 000002287BC1A020: MultiByteToWideChar.KERNEL32 ref: 000002287BC1A20A

DefWindowProcW.USER32 ref: 000002287BC1AB8A

Strings

0, xrefs: 000002287BC1AB2F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Windowlstrlen$memset$Process$ByteCharDataForegroundInputLocalMultiProcSessionTextThreadTimeWide__chkstkwsprintf
String ID: 0
API String ID: 780575994-4108050209
Opcode ID: 8944017d7ed3806bb4b05e2da9ce243fefa61d03cda730b77ebf3acd0b51178a
Instruction ID: 3059a309df146918301d6950c6b31ccb1f86aac622b3a3d423d8b02ef2d069b5
Opcode Fuzzy Hash: 8944017d7ed3806bb4b05e2da9ce243fefa61d03cda730b77ebf3acd0b51178a
Instruction Fuzzy Hash: EE21C27560668492F7108FA5F5483A9B3A2F7D9BE0F68C125EA5453698CF3CC482CB00

Function 000002287BC56670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 000002287BC5669E
WSAGetLastError.WS2_32 ref: 000002287BC566A8

Strings

getpeername: %s, xrefs: 000002287BC566B8

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: ErrorLastgetpeername
String ID: getpeername: %s
API String ID: 2962421750-464625284
Opcode ID: 70492f69daa5a89d0d3f06da4cbe523ed641418cf23a1151e85d09f26d425933
Instruction ID: 449caf9024c984adb83b06987af97c3716dd5f402624ede2b1b76bf074fbc40f
Opcode Fuzzy Hash: 70492f69daa5a89d0d3f06da4cbe523ed641418cf23a1151e85d09f26d425933
Instruction Fuzzy Hash: 65F0D169305740A2FA009F96F54C2DAE362BBC9BC8FA88532DF5C47756CF38C1428A00

Function 000002287BC234F6 Relevance: 5.1, APIs: 4, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC1458D
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC145BF
Part of subcall function 000002287BC14570: InitializeCriticalSection.KERNEL32 ref: 000002287BC145D4
Part of subcall function 000002287BC14570: IsBadReadPtr.KERNEL32 ref: 000002287BC145F0
Part of subcall function 000002287BC14570: EnterCriticalSection.KERNEL32 ref: 000002287BC14603
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC1461A
Part of subcall function 000002287BC14570: LeaveCriticalSection.KERNEL32 ref: 000002287BC14649
Part of subcall function 000002287BC14570: IsBadReadPtr.KERNEL32 ref: 000002287BC1465E
Part of subcall function 000002287BC14570: EnterCriticalSection.KERNEL32 ref: 000002287BC14671
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC14688
Part of subcall function 000002287BC14570: LeaveCriticalSection.KERNEL32 ref: 000002287BC146B7
Part of subcall function 000002287BC14570: IsBadReadPtr.KERNEL32 ref: 000002287BC146CC
Part of subcall function 000002287BC14570: EnterCriticalSection.KERNEL32 ref: 000002287BC146DF
Part of subcall function 000002287BC14570: VirtualAlloc.KERNEL32 ref: 000002287BC146F6

VirtualAlloc.KERNEL32 ref: 000002287BC23593

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC235D8
VirtualFree.KERNEL32 ref: 000002287BC2360E
VirtualFree.KERNEL32 ref: 000002287BC2361F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterRead$Leave$Free$Initialize
String ID:
API String ID: 4189992183-0
Opcode ID: 46fbae9de68203493fbee3f2530e2a4658fefb7301e89e69ecf3f114e9b588e7
Instruction ID: 940abb6ce27db7c6c896c9257734679118efa68d1c50c46631cb6ff64e69cbde
Opcode Fuzzy Hash: 46fbae9de68203493fbee3f2530e2a4658fefb7301e89e69ecf3f114e9b588e7
Instruction Fuzzy Hash: 4231B576306A405AFB558FA2E558399B7A2FBC9FC4F188025CE4647B85EF38C4928700

Function 000002287BC1C840 Relevance: 5.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1364B
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1365D
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13670
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13687
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136B6
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC136C8
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136DB
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136F2
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13721
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13733
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13746
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1375D
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1378C
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1379E
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC137B4

VirtualFree.KERNEL32 ref: 000002287BC1C915
VirtualFree.KERNEL32 ref: 000002287BC1C93F
VirtualFree.KERNEL32 ref: 000002287BC1C955
VirtualFree.KERNEL32 ref: 000002287BC1C97F

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$Initialize
String ID:
API String ID: 3420869360-0
Opcode ID: 185be2c0cbfc7c22b00fbf48d92649722d549f69ec3c3164fd9105fdedd5f745
Instruction ID: 1e2f465b383302e7ffa4be84fa892de7f16278c7535cdf72da95695167c2e127
Opcode Fuzzy Hash: 185be2c0cbfc7c22b00fbf48d92649722d549f69ec3c3164fd9105fdedd5f745
Instruction Fuzzy Hash: 44417F76312B4086EB64CF63E45861AB7E5FBC9F90F158425DF8A43B14DF39C4468B00

Function 000002287BC28560 Relevance: 5.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1364B
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1365D
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13670
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13687
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136B6
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC136C8
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136DB
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC136F2
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13721
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13733
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13746
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1375D
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1378C
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1379E
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC137B4

VirtualFree.KERNEL32 ref: 000002287BC2862B
VirtualFree.KERNEL32 ref: 000002287BC28655
VirtualFree.KERNEL32 ref: 000002287BC2866B
VirtualFree.KERNEL32 ref: 000002287BC28695

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$Initialize
String ID:
API String ID: 3420869360-0
Opcode ID: 149310322293b3fe42c6b3ff7dbfaeabd4d338ddb3b0be91a009c36db8032caa
Instruction ID: 5cda0f05f360a736b31e4d0a74c874ebbf897ca13548bc35463beacb89a31184
Opcode Fuzzy Hash: 149310322293b3fe42c6b3ff7dbfaeabd4d338ddb3b0be91a009c36db8032caa
Instruction Fuzzy Hash: DC416D36712B4086EB64DFA3E45C61AB3A5FBC9F80B598025DF8A43B14DF39D0858B04

Function 000002287BC330C0 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC33124

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC33169
VirtualFree.KERNEL32 ref: 000002287BC3319F
VirtualFree.KERNEL32 ref: 000002287BC331B0

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: 2d81ea38706c048f2e5f4f4a5d446c9e9cc6be0654373f3db5453061353b3bdb
Instruction ID: c3a01dbcfb6a38036268c8e06f4dc427e4fa5df7618343e52709add958a619ac
Opcode Fuzzy Hash: 2d81ea38706c048f2e5f4f4a5d446c9e9cc6be0654373f3db5453061353b3bdb
Instruction Fuzzy Hash: 8B319139312A4091FB54CFA3E558719B3A2EBC9FD4F588025DE1A47B58DF38C4968701

Function 000002287BC27030 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC27094

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC270D9
VirtualFree.KERNEL32 ref: 000002287BC2710F
VirtualFree.KERNEL32 ref: 000002287BC27120

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: 0b5870ebc01e7a7c0e19c12364db0ab6471d599442f1e369a7ada7ab57e35a22
Instruction ID: 0bf502fdf3489b14eaec9a16087b3a7f78fe878b0cf0519b55b2e2ae6be30544
Opcode Fuzzy Hash: 0b5870ebc01e7a7c0e19c12364db0ab6471d599442f1e369a7ada7ab57e35a22
Instruction Fuzzy Hash: 2C31A735312A4091FB54CFA7E599759A3A2EFC9FD4F18C125CE1A47B44DF38C8968740

Function 000002287BC31F30 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC31F94

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC31FD9
VirtualFree.KERNEL32 ref: 000002287BC3200F
VirtualFree.KERNEL32 ref: 000002287BC32020

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: c70ce8835c5477f1a9819fe4b722eec9c04bc43118f105ea714f34c0733d2822
Instruction ID: 510e05d4b61a6e295e5a4d48d62410b2f2af8977337c8ba81b2e756083e677e1
Opcode Fuzzy Hash: c70ce8835c5477f1a9819fe4b722eec9c04bc43118f105ea714f34c0733d2822
Instruction Fuzzy Hash: B2318D39302A4092FF548FA3E558719A3A2ABC9FD4F588125CE1A4BB88DF39C4968741

Function 000002287BC30580 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC305EB

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC30630
VirtualFree.KERNEL32 ref: 000002287BC30666
VirtualFree.KERNEL32 ref: 000002287BC30677

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: 57fc5c954fd539dfa39d1df089443c9945ee205ac194f12c17d099d83254ae1e
Instruction ID: 24972fbb2dcb43d18aac38f2e467c64e9269bf9cd53b1b249684dccbaf6665a1
Opcode Fuzzy Hash: 57fc5c954fd539dfa39d1df089443c9945ee205ac194f12c17d099d83254ae1e
Instruction Fuzzy Hash: E131823A302A4091FB54CFA3E558729A3A2EBC9FD4F58C125CE1E47B98DF39C4968741

Function 000002287BC2A4B0 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC2A514

Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134A7
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC134EF
Part of subcall function 000002287BC13490: InitializeCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13503
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC1351C
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1352F
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13546
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13575
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC13587
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1359A
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135B1
Part of subcall function 000002287BC13490: LeaveCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC135E0
Part of subcall function 000002287BC13490: IsBadReadPtr.KERNEL32 ref: 000002287BC135F2
Part of subcall function 000002287BC13490: EnterCriticalSection.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC13605
Part of subcall function 000002287BC13490: VirtualAlloc.KERNEL32(?,?,?,000002287BC12014), ref: 000002287BC1361C

VirtualFree.KERNEL32 ref: 000002287BC2A559
VirtualFree.KERNEL32 ref: 000002287BC2A58F
VirtualFree.KERNEL32 ref: 000002287BC2A5A0

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: d71c6923a865d40c7d6e2f294f2fd7b1a7cdeb36ff7e7a59477494c99de26ade
Instruction ID: 0ba0ce91195c44d5619d68659c3d42306cf660ab48cfb80ffedb35f799f2b68b
Opcode Fuzzy Hash: d71c6923a865d40c7d6e2f294f2fd7b1a7cdeb36ff7e7a59477494c99de26ade
Instruction Fuzzy Hash: EB319535302A4192FB54CFA7E55875AA3A2EBC9FD4F188025DE1A47B58DF38C4968B40

Function 000002287BC1C58B Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000002287BC1C5AF
VirtualFree.KERNEL32 ref: 000002287BC1C5E2
VirtualFree.KERNEL32 ref: 000002287BC1C5FA
VirtualFree.KERNEL32 ref: 000002287BC1C624

Part of subcall function 000002287BC20FA0: lstrlenW.KERNEL32 ref: 000002287BC20FB0
Part of subcall function 000002287BC20FA0: WideCharToMultiByte.KERNEL32 ref: 000002287BC20FDA
Part of subcall function 000002287BC20FA0: VirtualAlloc.KERNEL32 ref: 000002287BC20FF5
Part of subcall function 000002287BC20FA0: lstrlenW.KERNEL32 ref: 000002287BC21006
Part of subcall function 000002287BC20FA0: memset.NTDLL ref: 000002287BC2102B
Part of subcall function 000002287BC20FA0: lstrlenA.KERNEL32 ref: 000002287BC21033
Part of subcall function 000002287BC20FA0: VirtualFree.KERNEL32 ref: 000002287BC21049

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: Virtual$Free$lstrlen$Alloc$ByteCharMultiWidememset
String ID:
API String ID: 2589853381-0
Opcode ID: 9611ec3cb70565aed01a1dbbd046ff915021df47ce3a78d6dbe9877fcbb48a4b
Instruction ID: f01ce32342ba23bd0f3bc5439d0f372e7051856914017e2e57c3bf451c761e53
Opcode Fuzzy Hash: 9611ec3cb70565aed01a1dbbd046ff915021df47ce3a78d6dbe9877fcbb48a4b
Instruction Fuzzy Hash: 14118629312A4191FB58DFB7E55C769A392EFCDFC8F18C0259D4647B58DE39C0468B01

Function 000002287BC16D20 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 000002287BC16D43
EnterCriticalSection.KERNEL32(?,?,00000038,000002287BC17306), ref: 000002287BC16D5E
LeaveCriticalSection.KERNEL32(?,?,00000038,000002287BC17306), ref: 000002287BC16D81
LeaveCriticalSection.KERNEL32(?,?,00000038,000002287BC17306), ref: 000002287BC16DA1

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$Leave$EnterRead
String ID:
API String ID: 2917996470-0
Opcode ID: 5fe44f807c3c7cb4d1e0cf3bd03fcfc977882a79a0ed3f1eb1ea4ee1d0148d3e
Instruction ID: ed618f4fad69ecbc2d5087dfa7f9a87483f4cde1dc6c6bbaeac385bb8939661e
Opcode Fuzzy Hash: 5fe44f807c3c7cb4d1e0cf3bd03fcfc977882a79a0ed3f1eb1ea4ee1d0148d3e
Instruction Fuzzy Hash: 8B113066206A40D2FF54AF62E548369B3A1FBC9F88F1D8421DF4987758CF38C4529740

Function 000002287BC348D0 Relevance: 5.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000002287BC34908
LeaveCriticalSection.KERNEL32 ref: 000002287BC3491F
EnterCriticalSection.KERNEL32 ref: 000002287BC3493A
LeaveCriticalSection.KERNEL32 ref: 000002287BC34957

Memory Dump Source

Source File: 00000003.00000002.2495709321.000002287BC01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002287BC00000, based on PE: true

Associated: 00000003.00000002.2495682977.000002287BC00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495754911.000002287BC68000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495786207.000002287BC7C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2495818196.000002287BC82000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2287bc00000_svchost.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3439a903757724df9fa438759aecd9a6de92a885809b20b72485234d84bc4409
Instruction ID: 7872b6f954c3f352adea4d805bdbbfb891c7768d04fc0ea46cd392e72d5e4043
Opcode Fuzzy Hash: 3439a903757724df9fa438759aecd9a6de92a885809b20b72485234d84bc4409
Instruction Fuzzy Hash: FB11E929305B40D2EB149F62AD9C25DA326F7C9FD9F584021EF5A17B68CF3CC4468300

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 360safe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Windows Mail\HoopCity.exe

C:\Program Files\Windows Mail\HoopCityBase.dll

C:\Program Files\Windows Mail\mimidump.inf

C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
360safe.exe

Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211
servicestringCOMMON

Function 00000001800080F2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
memorynativeinjectionCOMMON

Function 0000000180009BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
memoryCOMMON

Function 0000000180005824 Relevance: 3.0, APIs: 2, Instructions: 40
nativeCOMMON

Function 00000001800054D5 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38
COMMON

Function 000000018000AD3E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
memoryCOMMON

Function 000000018000A9BE Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Function 0000000180008E30 Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Function 0000000180005A0D Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Function 000000018000AF22 Relevance: 1.5, APIs: 1, Instructions: 31
injectionCOMMON

Function 000000018000A8B2 Relevance: 1.5, APIs: 1, Instructions: 30
injectionCOMMON

Function 000000018000B100 Relevance: 1.5, APIs: 1, Instructions: 30
injectionCOMMON

Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317
filesleepmemoryCOMMON

Function 0000000180001A10 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162
comCOMMON

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre