Edit tour

Windows Analysis Report
png131.exe

Overview

General Information

Sample name:	png131.exe
Analysis ID:	1570457
MD5:	cc229473f79f7c6b26f368dc07731472
SHA1:	0969d6ea4eee31e7ee3d780bf0fe0c783f61ba49
SHA256:	a335d89038645fc3facd680615e971e97e79c967d3d44e04c089ef69543f6fbe
Tags:	exeSilverfoxWinOsuser-kafan_shengui
Infos:

Detection

ValleyRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected ValleyRAT

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Deletes itself after installation

Detected VMProtect packer

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain checking for user administrative privileges

Modifies the context of a thread in another process (thread injection)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to create new users

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Installs a raw input device (often for capturing keystrokes)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Sigma detected: Uncommon Svchost Parent Process

Tries to disable installed Antivirus / HIPS / PFW

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

png131.exe (PID: 6604 cmdline: "C:\Users\user\Desktop\png131.exe" MD5: CC229473F79F7C6B26F368DC07731472)

svchost.exe (PID: 1068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7116 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dllhost.exe (PID: 1852 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

arphaCrashReport64.exe (PID: 3712 cmdline: "C:\Program Files\Windows Mail\arphaCrashReport64.exe" MD5: 8B5D51DF7BBD67AEB51E9B9DEE6BC84A)

svchost.exe (PID: 6204 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dllhost.exe (PID: 7236 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
png131.exe	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x2a0:$s2: .enigma1 0x19ae5c0:$s2: .enigma1 0x2c8:$s3: .enigma2 0x19ae5d4:$s3: .enigma2

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2042505160.00007FF62A170000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x2a0:$s2: .enigma1 0x2c8:$s3: .enigma2
00000000.00000000.2017630234.00007FF62A170000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x2a0:$s2: .enigma1 0x2c8:$s3: .enigma2
Process Memory Space: svchost.exe PID: 1068	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.png131.exe.7ff62a170000.9.raw.unpack	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x2a0:$s2: .enigma1 0x2c8:$s3: .enigma2
0.0.png131.exe.7ff62a170000.0.raw.unpack	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x2a0:$s2: .enigma1 0x2c8:$s3: .enigma2

Sigma Signatures

System Summary

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 47.238.215.73, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\System32\svchost.exe, Initiated: true, ProcessId: 7116, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49710

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\png131.exe", ParentImage: C:\Users\user\Desktop\png131.exe, ParentProcessId: 6604, ParentProcessName: png131.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1068, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\png131.exe", ParentImage: C:\Users\user\Desktop\png131.exe, ParentProcessId: 6604, ParentProcessName: png131.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1068, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: png131.exe	ReversingLabs: Detection: 13%
Source: png131.exe	Virustotal: Detection: 15%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.0% probability

Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.bin	Jump to behavior

Source: png131.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: png131.exe, png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000006.00000002.2072502363.00007FF8B8B39000.00000002.00000001.01000000.00000009.sdmp, arphaDump64.dll.3.dr
Source:	Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: png131.exe, png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000006.00000002.2072276339.00007FF624992000.00000002.00000001.01000000.00000008.sdmp, arphaCrashReport64.exe, 00000006.00000000.2056121124.00007FF624992000.00000002.00000001.01000000.00000008.sdmp, arphaCrashReport64.exe.3.dr

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3916810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	3_2_00000254A3916810
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	4_2_0000000180026810
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	5_2_0000000180026810
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,	6_2_0000000180026810

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	3_2_00000254A390E210
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_00000254A390C850
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390DDD0 malloc,memset,FindFirstFileW,free,	3_2_00000254A390DDD0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_00000254A390CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	4_2_000000018001E210
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_000000018001C850
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_000000018001CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	4_2_000000018001DDD0
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	5_2_000000018001E210
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	5_2_000000018001C850
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	5_2_000000018001CCF0
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	5_2_000000018001DDD0
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00007FF624988F78 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	6_2_00007FF624988F78
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00007FF8B8B305EC FindFirstFileExW,	6_2_00007FF8B8B305EC
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	6_2_000000018001E210
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_000000018001C850
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_000000018001CCF0
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	6_2_000000018001DDD0

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A3919300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,

3_2_00000254A3919300

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 47.238.215.73:7700

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: llCU4F+qo5jK74A+YNYU6Q==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: XLuJFIBDWavl0qvxoTvaYw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: IyV9SKHbDr4Attaj4qGh3g==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: 6ZByfMJzxNEbmQFVIwZnWQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: sPtmsOMMeuQ2fCsHZGst1A==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: dmZb4wSkL/hRX1a6pdHzTw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: PdFPFyQ85QtsQoFs5za6yQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: yqY4f2ZtUDGhCdfQaQBGvw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: KIrTGZI4Qp/FjbsTFd1ODQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: V3wh5qieu1fXzyw168vTtA==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: tWC8gdRprsb7UxB4l6jbAw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: 5FEKTurOJ30NlYKZbZZfqg==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: cSfztSz/kqNDXNj+72Drnw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: QjWl6BaaGewxGmbcGXJn+A==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: /v3cHW4w/cl4Ii1icit4lQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: xWjQUY/Is9yTBVgUs5A+EA==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: i9LFhbBgae+u6YPH9PYEig==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: Uj25uND5HgLJzK55NVvLBQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: GKiu7PGR1BXkr9krdsCRgA==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: 3xOiIBIqiij/kgTdtyZX+w==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: pX6XVDPCPzsadS6Q+Isddg==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: bOiLiFRa9U81WVlCOfDk8A==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: MlOAu3XzqmJQPIT0elWqaw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: +b5075aLYHVqH6+mu7tw5g==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: vylpI7cjFoiFAtpY/CA2YQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: hpRdV9i8y5ug5QULPoX92w==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: TP9Si/lUga67yS+9f+vDVg==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: E2lGvhrsN8HWrFpvwFCJ0Q==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: 2dQ78juF7NTxj4UhAbVPTA==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: oD8vJlwdoucMcrDUQhsWxg==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: ZqokWny1WPonVduGg4DcQQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: i/izKMkZ/3xlvel7cMKqCg==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: InFajtRMPNduXqIM2zns3g==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: GM6cjwtJa6Kbgz/g84w3AA==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: paSF90161sjRSpVEdVfD9Q==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13

Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.215.73

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A3911A10 __chkstk,memset,WSACreateEvent,WSACreateEvent,WSAEventSelect,WSAEventSelect,WSAWaitForMultipleEvents,WSAEnumNetworkEvents,memset,recv,WSAEnumNetworkEvents,WSAWaitForMultipleEvents,CancelIo,closesocket,VirtualFree,VirtualFree,VirtualFree,

3_2_00000254A3911A10

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: llCU4F+qo5jK74A+YNYU6Q==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: XLuJFIBDWavl0qvxoTvaYw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: IyV9SKHbDr4Attaj4qGh3g==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: 6ZByfMJzxNEbmQFVIwZnWQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: sPtmsOMMeuQ2fCsHZGst1A==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: dmZb4wSkL/hRX1a6pdHzTw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: PdFPFyQ85QtsQoFs5za6yQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: yqY4f2ZtUDGhCdfQaQBGvw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: KIrTGZI4Qp/FjbsTFd1ODQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: V3wh5qieu1fXzyw168vTtA==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: tWC8gdRprsb7UxB4l6jbAw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: 5FEKTurOJ30NlYKZbZZfqg==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: cSfztSz/kqNDXNj+72Drnw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: QjWl6BaaGewxGmbcGXJn+A==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: /v3cHW4w/cl4Ii1icit4lQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: xWjQUY/Is9yTBVgUs5A+EA==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: i9LFhbBgae+u6YPH9PYEig==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: Uj25uND5HgLJzK55NVvLBQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: GKiu7PGR1BXkr9krdsCRgA==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: 3xOiIBIqiij/kgTdtyZX+w==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: pX6XVDPCPzsadS6Q+Isddg==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: bOiLiFRa9U81WVlCOfDk8A==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: MlOAu3XzqmJQPIT0elWqaw==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: +b5075aLYHVqH6+mu7tw5g==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: vylpI7cjFoiFAtpY/CA2YQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: hpRdV9i8y5ug5QULPoX92w==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: TP9Si/lUga67yS+9f+vDVg==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: E2lGvhrsN8HWrFpvwFCJ0Q==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: 2dQ78juF7NTxj4UhAbVPTA==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: oD8vJlwdoucMcrDUQhsWxg==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: ZqokWny1WPonVduGg4DcQQ==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: i/izKMkZ/3xlvel7cMKqCg==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: InFajtRMPNduXqIM2zns3g==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: GM6cjwtJa6Kbgz/g84w3AA==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Pragma: no-cacheCache-Control: no-cacheHost: 47.238.215.73Origin: http://47.238.215.73Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: paSF90161sjRSpVEdVfD9Q==Sec-WebSocket-Protocol: httpSec-WebSocket-Version: 13

Source: svchost.exe, 00000004.00000003.2648462641.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.3252835233.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2166089526.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2226581770.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2346117697.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.3011848093.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.3072294504.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2406143977.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.3193077464.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2105975161.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2831073812.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2891621352.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2709220531.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2286468292.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2587852150.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2466234241.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2951713138.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2769686541.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.3132049947.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2526302473.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2388806000.00000277B8913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.238.215.73
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: arphaCrashReport64.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ejemplo.com
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://eksempel.dk
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?u
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=afCtrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=caCtrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=cs&category=theme81https://myactivity.google.com/myactivity/?u
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=csCtrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=da&category=theme81https://myactivity.google.com/myactivity/?u
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=daCtrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=de&category=theme81https://myactivity.google.com/myactivity/?u
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=deStrg$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en-GBCtrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?u
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=es-419Ctrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=esCtrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=etCtrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62B6D3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62B726000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=fi&category=theme81https://myactivity.google.com/myactivity/?u
Source: png131.exe, 00000000.00000000.2018617360.00007FF62B6D3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=fiCtrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=filCtrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?u
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=frCtrl$1
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ejemplo.com.Se
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://eksempel.dk.Brug
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.com
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comContrase
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comContrasenyes
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comF
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comGemte
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comGestoorde
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comMga
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comMots
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comSaved
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comSe
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comSelle
Source: png131.exe, 00000000.00000000.2018617360.00007FF62B6D3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62B726000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comT
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passwords.google.comUlo
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://policies.google.com/
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869?hl=es
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/96817
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.beispiel.de
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.eksempel.comWebadressen
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&AideG
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&HilfeVon
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&N
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldab
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&judaGestionat
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministrado
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionado
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlBestuur
Source: png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&j
Source: png131.exe, 00000000.00000000.2018617360.00007FF62B6D3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62B726000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlO&hjeOrganisaatiosi
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaan

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A39099F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,

3_2_00000254A39099F0

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A39099F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	3_2_00000254A39099F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3916200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	3_2_00000254A3916200
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_00000254A391F1B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A39097D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_00000254A39097D0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	4_2_000000018002F1B0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	4_2_0000000180026200
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	4_2_00000001800197D0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	4_2_00000001800199F0
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	5_2_000000018002F1B0
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	5_2_0000000180026200
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	5_2_00000001800197D0
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	5_2_00000001800199F0
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_000000018002F1B0
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	6_2_0000000180026200
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_00000001800197D0
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,	6_2_00000001800199F0

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A390AC60 DefWindowProcW,SendMessageW,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,lstrlenW,lstrlenW,GlobalUnlock,CloseClipboard,VirtualFree,VirtualFree,CloseClipboard,SendMessageW,PostQuitMessage,

3_2_00000254A390AC60

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A390A410 GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

3_2_00000254A390A410

Source: png131.exe, 00000000.00000002.2042365238.0000020055900000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_8e0c20f9-d

System Summary

Malicious sample detected (through community Yara rule)

Source: png131.exe, type: SAMPLE	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 0.2.png131.exe.7ff62a170000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 0.0.png131.exe.7ff62a170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 00000000.00000002.2042505160.00007FF62A170000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 00000000.00000000.2017630234.00007FF62A170000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables packed with Enigma Author: ditekSHen

Detected VMProtect packer

Source: png131.exe

Static PE information: .vmp0 and .vmp1 section names

Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180005824 realloc,NtQuerySystemInformation,	0_2_0000000180005824
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001800080F2 VirtualAllocEx,WriteProcessMemory,memset,memcpy,NtAlpcConnectPort,	0_2_00000001800080F2
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001801192F0 NtQuerySystemInformation,	0_2_00000001801192F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3901AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	3_2_00000254A3901AE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3902830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	3_2_00000254A3902830
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3901C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	3_2_00000254A3901C70
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	4_2_0000000180011AE0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	4_2_0000000180011C70
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	4_2_0000000180012830
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	5_2_0000000180012830
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	5_2_0000000180011AE0
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	5_2_0000000180011C70
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018000B822 VirtualAllocEx,WriteProcessMemory,memset,memcpy,NtAlpcConnectPort,	6_2_000000018000B822
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180008F54 realloc,NtQuerySystemInformation,	6_2_0000000180008F54
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,	6_2_0000000180012830
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	6_2_0000000180011AE0
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,	6_2_0000000180011C70

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A3915F60: VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,CreateFileW,DeviceIoControl,CloseHandle,

3_2_00000254A3915F60

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A391D2A0 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

3_2_00000254A391D2A0

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A39101A0 GetCurrentProcess,OpenProcessToken,GetLastError,DuplicateTokenEx,SetTokenInformation,CreateEnvironmentBlock,CreateProcessAsUserW,CreateProcessAsUserW,

3_2_00000254A39101A0

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Jump to behavior

Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001800080F2	0_2_00000001800080F2
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180009BC0	0_2_0000000180009BC0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001800054D5	0_2_00000001800054D5
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001800015B0	0_2_00000001800015B0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180001010	0_2_0000000180001010
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180003833	0_2_0000000180003833
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180028038	0_2_0000000180028038
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180014848	0_2_0000000180014848
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000284D	0_2_000000018000284D
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018002C080	0_2_000000018002C080
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180003880	0_2_0000000180003880
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001800180EE	0_2_00000001800180EE
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000290C	0_2_000000018000290C
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180004153	0_2_0000000180004153
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180002170	0_2_0000000180002170
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000B1AC	0_2_000000018000B1AC
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001800069E0	0_2_00000001800069E0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001800151E8	0_2_00000001800151E8
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180002A06	0_2_0000000180002A06
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180001A10	0_2_0000000180001A10
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180002A19	0_2_0000000180002A19
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180003220	0_2_0000000180003220
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000225E	0_2_000000018000225E
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018001AA6C	0_2_000000018001AA6C
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000B280	0_2_000000018000B280
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180006AB0	0_2_0000000180006AB0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000C2D0	0_2_000000018000C2D0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180003AE0	0_2_0000000180003AE0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180003220	0_2_0000000180003220
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000435B	0_2_000000018000435B
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000C370	0_2_000000018000C370
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180023B98	0_2_0000000180023B98
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001800033B8	0_2_00000001800033B8
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018001FC0C	0_2_000000018001FC0C
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180028464	0_2_0000000180028464
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180003464	0_2_0000000180003464
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000947B	0_2_000000018000947B
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180002C8A	0_2_0000000180002C8A
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180004CB0	0_2_0000000180004CB0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001800044C1	0_2_00000001800044C1
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180003CF2	0_2_0000000180003CF2
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180002526	0_2_0000000180002526
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180003530	0_2_0000000180003530
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180007550	0_2_0000000180007550
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180001D60	0_2_0000000180001D60
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180016D88	0_2_0000000180016D88
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001800045A9	0_2_00000001800045A9
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180003DBC	0_2_0000000180003DBC
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000360B	0_2_000000018000360B
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000B620	0_2_000000018000B620
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180002E24	0_2_0000000180002E24
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180005E58	0_2_0000000180005E58
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180002666	0_2_0000000180002666
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180029E8C	0_2_0000000180029E8C
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000469C	0_2_000000018000469C
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180024EB0	0_2_0000000180024EB0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000BEB0	0_2_000000018000BEB0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000B6C0	0_2_000000018000B6C0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180008EC0	0_2_0000000180008EC0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018001FED8	0_2_000000018001FED8
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_00000001800096E0	0_2_00000001800096E0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000DEE8	0_2_000000018000DEE8
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_000000018000C6F0	0_2_000000018000C6F0
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180003717	0_2_0000000180003717
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180010F18	0_2_0000000180010F18
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180021F44	0_2_0000000180021F44
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180006F70	0_2_0000000180006F70
Source: C:\Users\user\Desktop\png131.exe	Code function: 0_2_0000000180002777	0_2_0000000180002777
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180001010	3_2_0000000180001010
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180001A10	3_2_0000000180001A10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180001D60	3_2_0000000180001D60
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003833	3_2_0000000180003833
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180028038	3_2_0000000180028038
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180014848	3_2_0000000180014848
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000284D	3_2_000000018000284D
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018002C080	3_2_000000018002C080
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003880	3_2_0000000180003880
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800180EE	3_2_00000001800180EE
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800080F2	3_2_00000001800080F2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000290C	3_2_000000018000290C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180004153	3_2_0000000180004153
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002170	3_2_0000000180002170
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000B1AC	3_2_000000018000B1AC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800069E0	3_2_00000001800069E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800151E8	3_2_00000001800151E8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002A06	3_2_0000000180002A06
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002A19	3_2_0000000180002A19
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003220	3_2_0000000180003220
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000225E	3_2_000000018000225E
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001AA6C	3_2_000000018001AA6C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000B280	3_2_000000018000B280
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180006AB0	3_2_0000000180006AB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000C2D0	3_2_000000018000C2D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003AE0	3_2_0000000180003AE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003220	3_2_0000000180003220
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000435B	3_2_000000018000435B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000C370	3_2_000000018000C370
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180023B98	3_2_0000000180023B98
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800033B8	3_2_00000001800033B8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180009BC0	3_2_0000000180009BC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001FC0C	3_2_000000018001FC0C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180028464	3_2_0000000180028464
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003464	3_2_0000000180003464
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000947B	3_2_000000018000947B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002C8A	3_2_0000000180002C8A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180004CB0	3_2_0000000180004CB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800044C1	3_2_00000001800044C1
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800054D5	3_2_00000001800054D5
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003CF2	3_2_0000000180003CF2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002526	3_2_0000000180002526
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003530	3_2_0000000180003530
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180007550	3_2_0000000180007550
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180016D88	3_2_0000000180016D88
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800045A9	3_2_00000001800045A9
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800015B0	3_2_00000001800015B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003DBC	3_2_0000000180003DBC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000360B	3_2_000000018000360B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000B620	3_2_000000018000B620
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002E24	3_2_0000000180002E24
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180005E58	3_2_0000000180005E58
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002666	3_2_0000000180002666
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180029E8C	3_2_0000000180029E8C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000469C	3_2_000000018000469C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180024EB0	3_2_0000000180024EB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000BEB0	3_2_000000018000BEB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000B6C0	3_2_000000018000B6C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180008EC0	3_2_0000000180008EC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018001FED8	3_2_000000018001FED8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001800096E0	3_2_00000001800096E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000DEE8	3_2_000000018000DEE8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_000000018000C6F0	3_2_000000018000C6F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180003717	3_2_0000000180003717
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180010F18	3_2_0000000180010F18
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180021F44	3_2_0000000180021F44
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180006F70	3_2_0000000180006F70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_0000000180002777	3_2_0000000180002777
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333D2E8	3_2_00000254A333D2E8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333BAF0	3_2_00000254A333BAF0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A334F2D8	3_2_00000254A334F2D8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3338AE0	3_2_00000254A3338AE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3351344	3_2_00000254A3351344
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3332B17	3_2_00000254A3332B17
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3340318	3_2_00000254A3340318
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3331B77	3_2_00000254A3331B77
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3336370	3_2_00000254A3336370
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3332A0B	3_2_00000254A3332A0B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3332224	3_2_00000254A3332224
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333AA20	3_2_00000254A333AA20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A335928C	3_2_00000254A335928C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3331A66	3_2_00000254A3331A66
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3335258	3_2_00000254A3335258
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33382C0	3_2_00000254A33382C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333AAC0	3_2_00000254A333AAC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33542B0	3_2_00000254A33542B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333B2B0	3_2_00000254A333B2B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3333A9C	3_2_00000254A3333A9C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33330F2	3_2_00000254A33330F2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33348D5	3_2_00000254A33348D5
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3336950	3_2_00000254A3336950
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3331926	3_2_00000254A3331926
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3332930	3_2_00000254A3332930
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3346188	3_2_00000254A3346188
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3331160	3_2_00000254A3331160
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33331BC	3_2_00000254A33331BC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33339A9	3_2_00000254A33339A9
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33309B0	3_2_00000254A33309B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A334F00C	3_2_00000254A334F00C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333208A	3_2_00000254A333208A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333887B	3_2_00000254A333887B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3332864	3_2_00000254A3332864
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3357864	3_2_00000254A3357864
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33338C1	3_2_00000254A33338C1
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33340B0	3_2_00000254A33340B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3332EE0	3_2_00000254A3332EE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3332620	3_2_00000254A3332620
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333B770	3_2_00000254A333B770
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333375B	3_2_00000254A333375B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33327B8	3_2_00000254A33327B8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3338FC0	3_2_00000254A3338FC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3352F98	3_2_00000254A3352F98
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3331E06	3_2_00000254A3331E06
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3330E10	3_2_00000254A3330E10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33445E8	3_2_00000254A33445E8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3335DE0	3_2_00000254A3335DE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3331E19	3_2_00000254A3331E19
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3332620	3_2_00000254A3332620
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333A680	3_2_00000254A333A680
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3349E6C	3_2_00000254A3349E6C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333165E	3_2_00000254A333165E
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333B6D0	3_2_00000254A333B6D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3335EB0	3_2_00000254A3335EB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3331D0C	3_2_00000254A3331D0C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33374F2	3_2_00000254A33374F2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A33474EE	3_2_00000254A33474EE
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3333553	3_2_00000254A3333553
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3331570	3_2_00000254A3331570
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A333A5AC	3_2_00000254A333A5AC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3330410	3_2_00000254A3330410
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3343C48	3_2_00000254A3343C48
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3331C4D	3_2_00000254A3331C4D
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3357438	3_2_00000254A3357438
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3332C33	3_2_00000254A3332C33
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A335B480	3_2_00000254A335B480
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3332C80	3_2_00000254A3332C80
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390F9E0	3_2_00000254A390F9E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3902140	3_2_00000254A3902140
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3910680	3_2_00000254A3910680
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3914B60	3_2_00000254A3914B60
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FCBAB	3_2_00000254A38FCBAB
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F73C0	3_2_00000254A38F73C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A39073D0	3_2_00000254A39073D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3913BC0	3_2_00000254A3913BC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FD2F0	3_2_00000254A38FD2F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F62E6	3_2_00000254A38F62E6
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F3300	3_2_00000254A38F3300
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F6B00	3_2_00000254A38F6B00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F62F9	3_2_00000254A38F62F9
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3919300	3_2_00000254A3919300
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F5B3E	3_2_00000254A38F5B3E
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3902B50	3_2_00000254A3902B50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3915340	3_2_00000254A3915340
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3921270	3_2_00000254A3921270
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F1264	3_2_00000254A38F1264
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F227C	3_2_00000254A38F227C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3917290	3_2_00000254A3917290
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F4A98	3_2_00000254A38F4A98
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FFAA0	3_2_00000254A38FFAA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390AAD0	3_2_00000254A390AAD0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391B2D0	3_2_00000254A391B2D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3925AD0	3_2_00000254A3925AD0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FA1E0	3_2_00000254A38FA1E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A39099F0	3_2_00000254A39099F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F61EC	3_2_00000254A38F61EC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3911A10	3_2_00000254A3911A10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3915A10	3_2_00000254A3915A10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FFA00	3_2_00000254A38FFA00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3908230	3_2_00000254A3908230
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391AA30	3_2_00000254A391AA30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F7A33	3_2_00000254A38F7A33
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F3A32	3_2_00000254A38F3A32
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F5A50	3_2_00000254A38F5A50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390EA40	3_2_00000254A390EA40
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F7160	3_2_00000254A38F7160
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F2971	3_2_00000254A38F2971
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F517C	3_2_00000254A38F517C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F517A	3_2_00000254A38F517A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3909190	3_2_00000254A3909190
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390A190	3_2_00000254A390A190
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3901180	3_2_00000254A3901180
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F219F	3_2_00000254A38F219F
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FE9B0	3_2_00000254A38FE9B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FE8DC	3_2_00000254A38FE8DC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F7113	3_2_00000254A38F7113
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FA110	3_2_00000254A38FA110
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3914930	3_2_00000254A3914930
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F612D	3_2_00000254A38F612D
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3905150	3_2_00000254A3905150
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3934140	3_2_00000254A3934140
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F6057	3_2_00000254A38F6057
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3917870	3_2_00000254A3917870
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F1070	3_2_00000254A38F1070
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391F890	3_2_00000254A391F890
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3918880	3_2_00000254A3918880
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A39038D0	3_2_00000254A39038D0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A392A8BC	3_2_00000254A392A8BC
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F20C7	3_2_00000254A38F20C7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391A7F0	3_2_00000254A391A7F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F6FF7	3_2_00000254A38F6FF7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391E010	3_2_00000254A391E010
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3920810	3_2_00000254A3920810
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FB822	3_2_00000254A38FB822
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390C850	3_2_00000254A390C850
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F176F	3_2_00000254A38F176F
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3926F5F	3_2_00000254A3926F5F
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3906F60	3_2_00000254A3906F60
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3923760	3_2_00000254A3923760
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F7F7C	3_2_00000254A38F7F7C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3934F90	3_2_00000254A3934F90
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F1F88	3_2_00000254A38F1F88
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3908780	3_2_00000254A3908780
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3911F80	3_2_00000254A3911F80
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3905FB0	3_2_00000254A3905FB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3907FA0	3_2_00000254A3907FA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3924FA0	3_2_00000254A3924FA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F4FB5	3_2_00000254A38F4FB5
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A39267B8	3_2_00000254A39267B8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390EFC0	3_2_00000254A390EFC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3914FC0	3_2_00000254A3914FC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A39157C0	3_2_00000254A39157C0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F6EEB	3_2_00000254A38F6EEB
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A39076E0	3_2_00000254A39076E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390F710	3_2_00000254A390F710
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3914700	3_2_00000254A3914700
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F6704	3_2_00000254A38F6704
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F271A	3_2_00000254A38F271A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F5F46	3_2_00000254A38F5F46
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3946670	3_2_00000254A3946670
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3922660	3_2_00000254A3922660
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3949E90	3_2_00000254A3949E90
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F7E89	3_2_00000254A38F7E89
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FA6A0	3_2_00000254A38FA6A0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F769C	3_2_00000254A38F769C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F3EC7	3_2_00000254A38F3EC7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3909EC0	3_2_00000254A3909EC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FEDF0	3_2_00000254A38FEDF0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FC5F0	3_2_00000254A38FC5F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FF5E0	3_2_00000254A38FF5E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FCE10	3_2_00000254A38FCE10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3903E10	3_2_00000254A3903E10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3919E10	3_2_00000254A3919E10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F6E10	3_2_00000254A38F6E10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F5E06	3_2_00000254A38F5E06
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A392DE00	3_2_00000254A392DE00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3906630	3_2_00000254A3906630
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F1630	3_2_00000254A38F1630
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FFE20	3_2_00000254A38FFE20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A392664B	3_2_00000254A392664B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390AE40	3_2_00000254A390AE40
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F656A	3_2_00000254A38F656A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F1D80	3_2_00000254A38F1D80
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3914D90	3_2_00000254A3914D90
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3915590	3_2_00000254A3915590
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F2D8A	3_2_00000254A38F2D8A
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F9588	3_2_00000254A38F9588
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F7DA1	3_2_00000254A38F7DA1
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3908DA0	3_2_00000254A3908DA0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390B5A0	3_2_00000254A390B5A0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F75D2	3_2_00000254A38F75D2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391BDC0	3_2_00000254A391BDC0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F54E0	3_2_00000254A38F54E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390CCF0	3_2_00000254A390CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A39234F0	3_2_00000254A39234F0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A39124E0	3_2_00000254A39124E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3928D24	3_2_00000254A3928D24
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3916530	3_2_00000254A3916530
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391AD30	3_2_00000254A391AD30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FED50	3_2_00000254A38FED50
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390E550	3_2_00000254A390E550
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F6D44	3_2_00000254A38F6D44
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3913464	3_2_00000254A3913464
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391FC54	3_2_00000254A391FC54
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F3470	3_2_00000254A38F3470
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391FC5D	3_2_00000254A391FC5D
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38FAC80	3_2_00000254A38FAC80
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3915C90	3_2_00000254A3915C90
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3925C90	3_2_00000254A3925C90
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F6C98	3_2_00000254A38F6C98
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3909CB0	3_2_00000254A3909CB0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A39144B0	3_2_00000254A39144B0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3926C9E	3_2_00000254A3926C9E
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F3CA6	3_2_00000254A38F3CA6
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F2CD2	3_2_00000254A38F2CD2
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F83E0	3_2_00000254A38F83E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F2BD6	3_2_00000254A38F2BD6
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F13F7	3_2_00000254A38F13F7
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3904410	3_2_00000254A3904410
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F8C05	3_2_00000254A38F8C05
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391FC27	3_2_00000254A391FC27
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F6B00	3_2_00000254A38F6B00
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391FC30	3_2_00000254A391FC30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390D420	3_2_00000254A390D420
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3920C20	3_2_00000254A3920C20
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391FC4B	3_2_00000254A391FC4B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A38F7C3B	3_2_00000254A38F7C3B
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391FC39	3_2_00000254A391FC39
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391FC42	3_2_00000254A391FC42
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180012140	4_2_0000000180012140
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180015150	4_2_0000000180015150
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180020680	4_2_0000000180020680
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800176E0	4_2_00000001800176E0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001F9E0	4_2_000000018001F9E0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001AAD0	4_2_000000018001AAD0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180013E10	4_2_0000000180013E10
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180059E90	4_2_0000000180059E90
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180006FF7	4_2_0000000180006FF7
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002E010	4_2_000000018002E010
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180006057	4_2_0000000180006057
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180001070	4_2_0000000180001070
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800020C7	4_2_00000001800020C7
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000A110	4_2_000000018000A110
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180007113	4_2_0000000180007113
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000612D	4_2_000000018000612D
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180044140	4_2_0000000180044140
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180007160	4_2_0000000180007160
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000517A	4_2_000000018000517A
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000517C	4_2_000000018000517C
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180011180	4_2_0000000180011180
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001A190	4_2_000000018001A190
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180019190	4_2_0000000180019190
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000219F	4_2_000000018000219F
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000A1E0	4_2_000000018000A1E0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800061EC	4_2_00000001800061EC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180018230	4_2_0000000180018230
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180001264	4_2_0000000180001264
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180031270	4_2_0000000180031270
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000227C	4_2_000000018000227C
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180027290	4_2_0000000180027290
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002B2D0	4_2_000000018002B2D0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800642E0	4_2_00000001800642E0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800062E6	4_2_00000001800062E6
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000D2F0	4_2_000000018000D2F0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800062F9	4_2_00000001800062F9
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180029300	4_2_0000000180029300
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180003300	4_2_0000000180003300
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180062327	4_2_0000000180062327
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180025340	4_2_0000000180025340
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018005B380	4_2_000000018005B380
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800073C0	4_2_00000001800073C0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800173D0	4_2_00000001800173D0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800083E0	4_2_00000001800083E0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800013F7	4_2_00000001800013F7
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018004C410	4_2_000000018004C410
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180014410	4_2_0000000180014410
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001D420	4_2_000000018001D420
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180023464	4_2_0000000180023464
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180003470	4_2_0000000180003470
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800244B0	4_2_00000001800244B0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800224E0	4_2_00000001800224E0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800054E0	4_2_00000001800054E0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800334F0	4_2_00000001800334F0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180026530	4_2_0000000180026530
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001E550	4_2_000000018001E550
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000656A	4_2_000000018000656A
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180009588	4_2_0000000180009588
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180025590	4_2_0000000180025590
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001B5A0	4_2_000000018001B5A0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800075D2	4_2_00000001800075D2
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000F5E0	4_2_000000018000F5E0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000C5F0	4_2_000000018000C5F0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180016630	4_2_0000000180016630
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180001630	4_2_0000000180001630
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018003664B	4_2_000000018003664B
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180032660	4_2_0000000180032660
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180056670	4_2_0000000180056670
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000769C	4_2_000000018000769C
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000A6A0	4_2_000000018000A6A0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800486E0	4_2_00000001800486E0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180024700	4_2_0000000180024700
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180006704	4_2_0000000180006704
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001F710	4_2_000000018001F710
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000271A	4_2_000000018000271A
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180033760	4_2_0000000180033760
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180063770	4_2_0000000180063770
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000176F	4_2_000000018000176F
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180018780	4_2_0000000180018780
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180052790	4_2_0000000180052790
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800367B8	4_2_00000001800367B8
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800257C0	4_2_00000001800257C0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002A7F0	4_2_000000018002A7F0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180030810	4_2_0000000180030810
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000B822	4_2_000000018000B822
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001C850	4_2_000000018001C850
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180027870	4_2_0000000180027870
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180028880	4_2_0000000180028880
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002F890	4_2_000000018002F890
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018003A8BC	4_2_000000018003A8BC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800138D0	4_2_00000001800138D0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000E8DC	4_2_000000018000E8DC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180024930	4_2_0000000180024930
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180002971	4_2_0000000180002971
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000E9B0	4_2_000000018000E9B0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800199F0	4_2_00000001800199F0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180053A00	4_2_0000000180053A00
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000FA00	4_2_000000018000FA00
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180021A10	4_2_0000000180021A10
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180025A10	4_2_0000000180025A10
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002AA30	4_2_000000018002AA30
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180003A32	4_2_0000000180003A32
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180007A33	4_2_0000000180007A33
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001EA40	4_2_000000018001EA40
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180005A50	4_2_0000000180005A50
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180004A98	4_2_0000000180004A98
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000FAA0	4_2_000000018000FAA0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180035AD0	4_2_0000000180035AD0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180006B00	4_2_0000000180006B00
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180005B3E	4_2_0000000180005B3E
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180012B50	4_2_0000000180012B50
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180024B60	4_2_0000000180024B60
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000CBAB	4_2_000000018000CBAB
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180023BC0	4_2_0000000180023BC0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180002BD6	4_2_0000000180002BD6
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180008C05	4_2_0000000180008C05
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180030C20	4_2_0000000180030C20
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180006B00	4_2_0000000180006B00
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002FC27	4_2_000000018002FC27
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002FC30	4_2_000000018002FC30
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002FC39	4_2_000000018002FC39
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180007C3B	4_2_0000000180007C3B
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002FC42	4_2_000000018002FC42
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002FC4B	4_2_000000018002FC4B
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002FC54	4_2_000000018002FC54
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180065C60	4_2_0000000180065C60
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002FC5D	4_2_000000018002FC5D
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018000AC80	4_2_000000018000AC80
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180035C90	4_2_0000000180035C90
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180025C90	4_2_0000000180025C90
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180006C98	4_2_0000000180006C98
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180036C9E	4_2_0000000180036C9E
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180061CA7	4_2_0000000180061CA7
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180003CA6	4_2_0000000180003CA6

Source: Joe Sandbox View

Dropped File: C:\Program Files\Windows Mail\arphaCrashReport64.exe E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271

Source: C:\Windows\System32\svchost.exe	Code function: String function: 0000000180044F40 appears 61 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 0000000180041800 appears 91 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 00000254A3934F40 appears 36 times
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: String function: 0000000180044F40 appears 61 times
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: String function: 0000000180041800 appears 91 times
Source: C:\Windows\System32\dllhost.exe	Code function: String function: 0000000180044F40 appears 61 times
Source: C:\Windows\System32\dllhost.exe	Code function: String function: 0000000180041800 appears 91 times

Source: png131.exe

Static PE information: Number of sections : 19 > 10

Source: png131.exe	Binary or memory string: OriginalFilename vs png131.exe
Source: png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearphaCrashReport.exe2 vs png131.exe
Source: png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearphaCrashReport.exe2 vs png131.exe

Source: png131.exe, type: SAMPLE	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 0.2.png131.exe.7ff62a170000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 0.0.png131.exe.7ff62a170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 00000000.00000002.2042505160.00007FF62A170000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 00000000.00000000.2017630234.00007FF62A170000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018

Source: png131.exe

Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317

Source: png131.exe, 00000000.00000000.2018617360.00007FF62B902000.00000008.00000001.01000000.00000003.sdmp

Binary or memory string: ndre-land.nonet.slnet.soin-brb.de123website.lutrentino-stirol.it

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@0/2

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3910680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	3_2_00000254A3910680
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3919300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_00000254A3919300
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3919A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	3_2_00000254A3919A70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3917290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_00000254A3917290
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3917870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_00000254A3917870
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	3_2_00000254A391CE70
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	3_2_00000254A390FD10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3910480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	3_2_00000254A3910480
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	4_2_0000000180020680
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_0000000180027290
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_0000000180029300
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	4_2_0000000180020480
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_0000000180027870
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	4_2_0000000180029A70
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	4_2_000000018001FD10
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	4_2_000000018002CE70
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	5_2_0000000180027290
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	5_2_0000000180029300
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	5_2_0000000180020480
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	5_2_0000000180020680
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	5_2_0000000180027870
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	5_2_0000000180029A70
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	5_2_000000018001FD10
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	5_2_000000018002CE70
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,	6_2_0000000180020480
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,	6_2_0000000180020680
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_0000000180027290
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_0000000180029300
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_0000000180027870
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,	6_2_0000000180029A70
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,	6_2_000000018001FD10
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,	6_2_000000018002CE70

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A390C4E0 memset,memset,memset,QueryDosDeviceW,GetDriveTypeW,lstrlenW,GetVolumeInformationW,lstrlenW,GetDiskFreeSpaceExW,

3_2_00000254A390C4E0

Source: C:\Windows\System32\svchost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	3_2_00000254A39163C0
Source: C:\Windows\System32\svchost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	4_2_00000001800263C0
Source: C:\Windows\System32\dllhost.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	5_2_00000001800263C0
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,	6_2_00000001800263C0

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A391CA60 CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,

3_2_00000254A391CA60

Source: C:\Users\user\Desktop\png131.exe

Code function: 0_2_0000000180001A10 CoInitialize,CLSIDFromString,IIDFromString,CoCreateInstance,

0_2_0000000180001A10

Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe

Code function: 6_2_00007FF624974000 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

6_2_00007FF624974000

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A3902140 WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess,

3_2_00000254A3902140

Source: C:\Windows\System32\svchost.exe

File created: C:\Program Files\Windows Mail\arphaCrashReport64.exe

Jump to behavior

Source: C:\Users\user\Desktop\png131.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\png131.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: png131.exe	ReversingLabs: Detection: 13%
Source: png131.exe	Virustotal: Detection: 15%

Source: svchost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: svchost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
Source: dllhost.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: dllhost.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
Source: arphaCrashReport64.exe	String found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: arphaCrashReport64.exe	String found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}

Source: unknown	Process created: C:\Users\user\Desktop\png131.exe "C:\Users\user\Desktop\png131.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\arphaCrashReport64.exe "C:\Program Files\Windows Mail\arphaCrashReport64.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\arphaCrashReport64.exe "C:\Program Files\Windows Mail\arphaCrashReport64.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior

Source: C:\Users\user\Desktop\png131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: arphadump64.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior

Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\Windows Mail\arphaDump64.bin	Jump to behavior

Source: png131.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: png131.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: png131.exe

Static file information: File size 28080640 > 1048576

Source: png131.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xb55c00
Source: png131.exe	Static PE information: Raw size of .vmp2 is bigger than: 0x100000 < 0xefd600

Source: png131.exe	Static PE information: More than 200 imports for KERNEL32.dll
Source: png131.exe	Static PE information: More than 200 imports for USER32.dll

Source: png131.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: png131.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: png131.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: png131.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: png131.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: png131.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: png131.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: png131.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: png131.exe, png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000006.00000002.2072502363.00007FF8B8B39000.00000002.00000001.01000000.00000009.sdmp, arphaDump64.dll.3.dr
Source:	Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: png131.exe, png131.exe, 00000000.00000002.2041775125.0000020054D20000.00000004.00001000.00020000.00000000.sdmp, png131.exe, 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000006.00000002.2072276339.00007FF624992000.00000002.00000001.01000000.00000008.sdmp, arphaCrashReport64.exe, 00000006.00000000.2056121124.00007FF624992000.00000002.00000001.01000000.00000008.sdmp, arphaCrashReport64.exe.3.dr

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A3914080 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_00000254A3914080

Source: png131.exe	Static PE information: section name: .vmp0
Source: png131.exe	Static PE information: section name: .enigma1
Source: png131.exe	Static PE information: section name: .enigma2
Source: png131.exe	Static PE information: section name: .vmp1
Source: png131.exe	Static PE information: section name: .vmp2
Source: png131.exe	Static PE information: section name: .arch
Source: png131.exe	Static PE information: section name: .srdata
Source: png131.exe	Static PE information: section name: .xdata
Source: png131.exe	Static PE information: section name: .xpdata
Source: png131.exe	Static PE information: section name: .xtls
Source: png131.exe	Static PE information: section name: .themida
Source: png131.exe	Static PE information: section name: .dsstext
Source: png131.exe	Static PE information: section name: .qtmetad
Source: png131.exe	Static PE information: section name: .qtmimed
Source: png131.exe	Static PE information: section name: _RDATA

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390C3E0 push rcx; ret	3_2_00000254A390C3E1
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001C3E0 push rcx; ret	4_2_000000018001C3E1
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00000001800619F7 push FF491775h; ret	4_2_00000001800619FC
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018001C3E0 push rcx; ret	5_2_000000018001C3E1
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_00000001800619F7 push FF491775h; ret	5_2_00000001800619FC
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018001C3E0 push rcx; ret	6_2_000000018001C3E1
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00000001800619F7 push FF491775h; ret	6_2_00000001800619FC

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A39130FE VirtualFree,VirtualFree,malloc,malloc,VirtualFree,VirtualFree,NetUserAdd,Sleep,NetLocalGroupAddMembers,free,free,

3_2_00000254A39130FE

Source: C:\Windows\System32\svchost.exe	File created: C:\Program Files\Windows Mail\arphaCrashReport64.exe			Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Program Files\Windows Mail\arphaDump64.dll			Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A39163C0 memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,

3_2_00000254A39163C0

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\svchost.exe

File deleted: c:\users\user\desktop\png131.exe

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A390BFC0 OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,

3_2_00000254A390BFC0

Source: C:\Users\user\Desktop\png131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Windows\System32\dllhost.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode
Source: C:\Windows\System32\svchost.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode	graph_3-45541
Source: C:\Users\user\Desktop\png131.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode	graph_0-13627

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A3906F60 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,

3_2_00000254A3906F60

Source: C:\Users\user\Desktop\png131.exe	Code function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	0_2_00000001800015B0
Source: C:\Users\user\Desktop\png131.exe	Code function: EnumServicesStatusExW,	0_2_0000000180119010
Source: C:\Windows\System32\svchost.exe	Code function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	3_2_00000001800015B0
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	3_2_00000254A391D140
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_00000254A391F890
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	4_2_000000018002D140
Source: C:\Windows\System32\svchost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_000000018002F890
Source: C:\Windows\System32\dllhost.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	5_2_000000018002D140
Source: C:\Windows\System32\dllhost.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	5_2_000000018002F890
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,	6_2_000000018002D140
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_000000018002F890

Source: C:\Windows\System32\svchost.exe	API coverage: 3.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.0 %
Source: C:\Windows\System32\dllhost.exe	API coverage: 3.2 %
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	API coverage: 3.4 %

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	3_2_00000254A390E210
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_00000254A390C850
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390DDD0 malloc,memset,FindFirstFileW,free,	3_2_00000254A390DDD0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_00000254A390CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	4_2_000000018001E210
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_000000018001C850
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_000000018001CCF0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	4_2_000000018001DDD0
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	5_2_000000018001E210
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	5_2_000000018001C850
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	5_2_000000018001CCF0
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	5_2_000000018001DDD0
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00007FF624988F78 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	6_2_00007FF624988F78
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00007FF8B8B305EC FindFirstFileExW,	6_2_00007FF8B8B305EC
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,	6_2_000000018001E210
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_000000018001C850
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	6_2_000000018001CCF0
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,	6_2_000000018001DDD0

Source: C:\Windows\System32\svchost.exe

3_2_00000254A3919300

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A39124E0 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,

3_2_00000254A39124E0

Source: svchost.exe, 00000003.00000002.3265158219.00000254A202B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: dllhost.exe, 00000008.00000002.3263443826.0000025175C3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: dllhost.exe, 00000005.00000002.3263373268.00000200AFBAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@
Source: svchost.exe, 00000003.00000000.2024653440.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3265283168.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3263993257.000002DFE3413000.00000004.00000020.00020000.00000000.sdmp, arphaCrashReport64.exe, 00000006.00000002.2070479095.00000263ED564000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3263901067.00000277B8813000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\png131.exe	API call chain: ExitProcess graph end node			graph_0-13634
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node			graph_3-45823

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A391E2EE mouse_event,BlockInput,

3_2_00000254A391E2EE

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A3954130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_00000254A3954130

Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe

Code function: 6_2_00007FF62497D1E8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

6_2_00007FF62497D1E8

Source: C:\Windows\System32\svchost.exe

3_2_00000254A3906F60

Source: C:\Windows\System32\svchost.exe

Code function: 4_2_0000000180034DA0 VirtualAlloc ?,?,00000000,0000000180035130,?,?,00000000,0000000180014AAC

4_2_0000000180034DA0

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A3914080 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_00000254A3914080

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A391CA60 CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,

3_2_00000254A391CA60

Source: C:\Users\user\Desktop\png131.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000001801129E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00000001801129E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3954130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00000254A3954130
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3950030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00000254A3950030
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0000000180060030
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0000000180064130
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0000000180060770
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0000000180060030
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0000000180064130
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0000000180060770
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00007FF62497EEF4 SetUnhandledExceptionFilter,	6_2_00007FF62497EEF4
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00007FF6249821D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF6249821D8
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00007FF62497ED0C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF62497ED0C
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00007FF62497E440 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF62497E440
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00007FF8B8B26270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF8B8B26270
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00007FF8B8B2D3B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF8B8B2D3B4
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_00007FF8B8B25860 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF8B8B25860
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0000000180060030
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0000000180064130
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0000000180060770

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\svchost.exe

File created: arphaCrashReport64.exe.3.dr

Jump to dropped file

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\png131.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 254A27A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 254A3200000 protect: page read and write	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 254A27B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 254A27C0000 protect: page read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 254A37A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 254A37B0000 protect: page read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 254A3840000 protect: page execute and read and write	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 254A3850000 protect: page read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A390F9E0 VirtualAllocEx,GetLastError,VirtualAllocEx,WriteProcessMemory,GetLastError,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,memset,GetThreadContext,SetThreadContext,memset,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,GetLastError,

3_2_00000254A390F9E0

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A390F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	3_2_00000254A390F710
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3919E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	3_2_00000254A3919E10
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A391E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	3_2_00000254A391E4D0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	4_2_000000018002E4D0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	4_2_000000018001F710
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	4_2_0000000180029E10
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	5_2_000000018002E4D0
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	5_2_000000018001F710
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	5_2_0000000180029E10
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,	6_2_000000018002E4D0
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,	6_2_000000018001F710
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,	6_2_0000000180029E10

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x18000E065	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtClose: Direct from: 0x18002CA47
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x18002D4F8	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x18001244C	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1800209C4	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x18002D89D	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtClose: Direct from: 0x18002052B
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x18000D3EB	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x180008FB0	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x18001216D	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x18001B0FA	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x180020758	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1800207AD	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1800208EE	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x18000E4F4	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x180020A2F	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAdjustPrivilegesToken: Direct from: 0x180020511	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x18000E8B1	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtUnmapViewOfSection: Direct from: 0x18002C9A7	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x18002069D	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x18000E6D2	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtUnmapViewOfSection: Direct from: 0x18002C9C4	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x180020818	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x180020959	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQueryInformationProcess: Direct from: 0x1800091B3	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x1800121DB	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtWriteVirtualMemory: Direct from: 0x18000B93E	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x18002D84B	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x180020A9A	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x18000E173	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x18001B08C	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x18002D52B	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAdjustPrivilegesToken: Direct from: 0x18000C5C9	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtProtectVirtualMemory: Direct from: 0x18002D88C	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x18001B0C3	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x180020883	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtClose: Direct from: 0x180020741
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x180008494	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x180009000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x18001AFDD	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x18000B8AD	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAdjustPrivilegesToken: Direct from: 0x180020727	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtQuerySystemInformation: Direct from: 0x18002C984	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x180012212	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x180020544	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x18001B131	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	NtAllocateVirtualMemory: Direct from: 0x18002D1CC	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 7116	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 6204	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 1852	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 7236	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\png131.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27A0000	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A3200000	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27B0000	Jump to behavior
Source: C:\Users\user\Desktop\png131.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27C0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 200AFA40000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 200AFAD0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 200AFA30000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A37A0000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A37B0000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A3840000	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A3850000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 251759F0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 25175A80000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 251759E0000	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	3_2_00000254A3902140
Source: C:\Windows\System32\svchost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	4_2_0000000180012140
Source: C:\Windows\System32\dllhost.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	5_2_0000000180012140
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe	6_2_0000000180012140

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A391E010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,

3_2_00000254A391E010

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A391E2EE mouse_event,BlockInput,

3_2_00000254A391E2EE

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Mail\arphaCrashReport64.exe "C:\Program Files\Windows Mail\arphaCrashReport64.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}	Jump to behavior

Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll	Jump to behavior

Source: svchost.exe, 00000004.00000003.2372636615.000002DFE4AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2614981477.000002DFE4AC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2735450523.000002DFE4AC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000004.00000003.2131393872.000002DFE4AC0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 00000005.00000003.2173058960.00000200B2150000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2158737049.00000277B9E20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager,
Source: svchost.exe, 00000004.00000003.3037166887.000002DFE4AC0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 00000005.00000003.3141882857.00000200B2150000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3266397806.00000277B9E40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managerx

Source: C:\Users\user\Desktop\png131.exe

Code function: 0_2_000000018002BBA8 cpuid

0_2_000000018002BBA8

Source: C:\Users\user\Desktop\png131.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 3_2_00000254A3917E20 CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,

3_2_00000254A3917E20

Source: C:\Users\user\Desktop\png131.exe

Code function: 0_2_0000000180112B5C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0000000180112B5C

Source: C:\Windows\System32\svchost.exe

3_2_00000254A39124E0

Stealing of Sensitive Information

Yara detected ValleyRAT

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 1068, type: MEMORYSTR

Remote Access Functionality

Yara detected ValleyRAT

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 1068, type: MEMORYSTR

Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3946B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	3_2_00000254A3946B30
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A393A830 socket,socket,htonl,bind,getsockname,	3_2_00000254A393A830
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3937630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	3_2_00000254A3937630
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000254A3911520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	3_2_00000254A3911520
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_000000018004A830 socket,socket,htonl,bind,getsockname,	4_2_000000018004A830
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	4_2_0000000180021520
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	4_2_0000000180047630
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	4_2_0000000180056B30
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	5_2_0000000180021520
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	5_2_0000000180047630
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_000000018004A830 socket,socket,htonl,bind,getsockname,	5_2_000000018004A830
Source: C:\Windows\System32\dllhost.exe	Code function: 5_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	5_2_0000000180056B30
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,	6_2_0000000180021520
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,	6_2_0000000180047630
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_000000018004A830 socket,socket,htonl,bind,getsockname,	6_2_000000018004A830
Source: C:\Program Files\Windows Mail\arphaCrashReport64.exe	Code function: 6_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,	6_2_0000000180056B30

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	3 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Abuse Elevation Control Mechanism	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	12 Windows Service	11 Access Token Manipulation	2 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	12 Service Execution	1 Scheduled Task/Job	12 Windows Service	1 Software Packing	LSA Secrets	25 System Information Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	523 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	1 Network Share Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 File Deletion	DCSync	41 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Masquerading	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	523 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Indicator Removal	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
png131.exe	13%	ReversingLabs
png131.exe	15%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files\Windows Mail\arphaCrashReport64.exe	4%	ReversingLabs
C:\Program Files\Windows Mail\arphaDump64.dll	5%	ReversingLabs

Source	Detection	Scanner	Label
https://www.eksempel.comWebadressen	0%	Avira URL Cloud	safe
https://passwords.google.comGemte	0%	Avira URL Cloud	safe
https://passwords.google.comSelle	0%	Avira URL Cloud	safe
http://47.238.215.73	0%	Avira URL Cloud	safe
https://passwords.google.comSaved	0%	Avira URL Cloud	safe
https://passwords.google.comUlo	0%	Avira URL Cloud	safe
https://passwords.google.comGestoorde	0%	Avira URL Cloud	safe
https://passwords.google.comContrasenyes	0%	Avira URL Cloud	safe
https://passwords.google.comSe	0%	Avira URL Cloud	safe
https://passwords.google.comMots	0%	Avira URL Cloud	safe
https://www.beispiel.de	0%	Avira URL Cloud	safe
https://passwords.google.comMga	0%	Avira URL Cloud	safe
https://passwords.google.comContrase	0%	Avira URL Cloud	safe
http://47.238.215.73/	0%	Avira URL Cloud	safe
https://passwords.google.comF	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://47.238.215.73/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://chrome.google.com/webstore?hl=deStrg$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.htmlA&judaGestionat	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
http://eksempel.dk	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=de&category=theme81https://myactivity.google.com/myactivity/?u	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://support.google.com/chrome/answer/6098869?hl=es	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://support.google.com/chrome/answer/6098869	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.html	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionado	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=es-419Ctrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.eksempel.comWebadressen	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?u	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=etCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.html&HilfeVon	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?u	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=fi&category=theme81https://myactivity.google.com/myactivity/?u	png131.exe, 00000000.00000000.2018617360.00007FF62B6D3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62B726000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.comSaved	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=zh-TWCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
http://47.238.215.73	svchost.exe, 00000004.00000003.2648462641.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.3252835233.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2166089526.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2226581770.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2346117697.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.3011848093.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.3072294504.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2406143977.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.3193077464.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2105975161.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2831073812.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2891621352.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2709220531.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2286468292.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2587852150.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2466234241.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2951713138.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2769686541.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.3132049947.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2526302473.000002DFE3513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2388806000.00000277B8913000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.html&N	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://myactivity.google.com/	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?u	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.comGemte	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.comSelle	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=da&category=theme81https://myactivity.google.com/myactivity/?u	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.comGestoorde	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.com	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://policies.google.com/	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.comUlo	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://passwords.google.comContrasenyes	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=daCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=esCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://ejemplo.com.Se	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=afCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=csCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.comSe	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.html&AideG	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.comMots	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore/category/extensions	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://eksempel.dk.Brug	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://support.google.com/chromebook?p=app_intent	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=cs&category=theme81https://myactivity.google.com/myactivity/?u	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=frCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.beispiel.de	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.comT	png131.exe, 00000000.00000000.2018617360.00007FF62B6D3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62B726000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://support.google.com/chrome/answer/96817	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://support.google.com/chrome/a/?p=browser_profile_details	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=filCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldab	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.htmlH&j	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaan	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.comMga	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://support.google.com/chrome/a/answer/9122284	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=enCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.comContrase	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=fiCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62B6D3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.htmlBestuur	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=caCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.htmlO&hjeOrganisaatiosi	png131.exe, 00000000.00000000.2018617360.00007FF62B6D3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62B726000.00000008.00000001.01000000.00000003.sdmp	false		high
https://passwords.google.comF	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://ejemplo.com	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist	png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministrado	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high
https://chrome.google.com/webstore?hl=en-GBCtrl$1	png131.exe, 00000000.00000000.2018617360.00007FF62ACD3000.00000008.00000001.01000000.00000003.sdmp, png131.exe, 00000000.00000002.2044305914.00007FF62AD26000.00000008.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.238.215.73	unknown	United States		20115	CHARTER-20115US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570457
Start date and time:	2024-12-07 03:55:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	png131.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 33 Number of non-executed functions: 303
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
03:56:05	Task Scheduler	Run new task: MicrosoftEdgeUpdate path: C:\Program Files\Windows Mail\arphaCrashReport64.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHARTER-20115US	arm5.elf	Get hash	malicious	Unknown	Browse	47.49.110.141
	jew.mips.elf	Get hash	malicious	Unknown	Browse	71.8.33.252
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	68.114.254.39
	jew.ppc.elf	Get hash	malicious	Unknown	Browse	71.81.11.16
	main_mips.elf	Get hash	malicious	Mirai	Browse	71.9.251.192
	main_ppc.elf	Get hash	malicious	Mirai	Browse	174.82.196.131
	main_x86.elf	Get hash	malicious	Mirai	Browse	24.181.154.99
	https://rebrand.ly/moe5eyg	Get hash	malicious	Unknown	Browse	47.238.135.216
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	174.80.96.39
	powerpc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	68.190.212.174

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\Windows Mail\arphaCrashReport64.exe	install.exe	Get hash	malicious	ValleyRAT	Browse
	Telegrm2.69.exe	Get hash	malicious	Unknown	Browse
	Telegrm2.69.exe	Get hash	malicious	Unknown	Browse
	file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip	Get hash	malicious	Unknown	Browse
	SvpnLong2.exe	Get hash	malicious	Unknown	Browse
	SvpnLong2.exe	Get hash	malicious	Unknown	Browse
	Cbrome1.0.exe	Get hash	malicious	Unknown	Browse
	Supe.exe	Get hash	malicious	Unknown	Browse
	Cbrome1.0.exe	Get hash	malicious	Unknown	Browse
	Supe.exe	Get hash	malicious	Unknown	Browse
C:\Program Files\Windows Mail\arphaDump64.dll	install.exe	Get hash	malicious	ValleyRAT	Browse

Created / dropped Files

C:\Program Files\Windows Mail\arphaCrashReport64.exe

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	238384
Entropy (8bit):	6.278635939854228
Encrypted:	false
SSDEEP:	3072:fN9rZ5vuFomptSepjTxUPjfOgwXCtRLDya09M9EvoHmkQ/2Y8L6vVefD:rZ5qomPSeCx7tRNQjSfD
MD5:	8B5D51DF7BBD67AEB51E9B9DEE6BC84A
SHA1:	DD63C3D4ACF0CE27F71CCE44B8950180E48E36FA
SHA-256:	E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271
SHA-512:	1B4350D51C2107D0AA22EB01D64E1F1AB73C28114045C388BAF9547CC39A902C8A274A24479C7C2599F94C96F8772E438F21A2849316B5BD7F5D47C26A1E483B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: install.exe, Detection: malicious, Browse Filename: Telegrm2.69.exe, Detection: malicious, Browse Filename: Telegrm2.69.exe, Detection: malicious, Browse Filename: file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip, Detection: malicious, Browse Filename: SvpnLong2.exe, Detection: malicious, Browse Filename: SvpnLong2.exe, Detection: malicious, Browse Filename: Cbrome1.0.exe, Detection: malicious, Browse Filename: Supe.exe, Detection: malicious, Browse Filename: Cbrome1.0.exe, Detection: malicious, Browse Filename: Supe.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i...:...:...:...;...:...;)..:...;...:...;...:...;...:...;...:...;...:3..;...:...:...:3..;...:3.4:...:..\:...:3..;...:Rich...:........................PE..d......`.........."..........t......$..........@....................................j.....`..........................................................p...-...P.......h..0;......l...P...8.......................(.................... ..@............................text............................... ..`.rdata..F.... ......................@..@.data...L&... ......................@....pdata.......P......................@..@.rsrc....-...p.......2..............@..@.reloc..l............`..............@..B........................................................................................................................................................................................................................

C:\Program Files\Windows Mail\arphaDump64.bin

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	546252
Entropy (8bit):	6.544081953154751
Encrypted:	false
SSDEEP:	12288:awnKbeNO/thmmWIK3z9rG3U9szzrHUPRxG0+UfYlrYSe:flXDp9HPYlr5e
MD5:	090D51092C6775263CF278817616E46A
SHA1:	4EA713D8B39948A647D828DF07F6B20C245F90AE
SHA-256:	0A71FE703264547C6B71EC414B58EB509DAAA45E9E2B3555F03A97A825514851
SHA-512:	FDE523F63DA0B56405EAFF353770870D6AAAAB088756408620BA95C71B2C221A6AA909BDDCA58FED5FC62A4EA508C79273D0D902543094185666D54F5E7FE455
Malicious:	false
Reputation:	low
Preview:	4...H..(H...D$8run.H.L$8.O...H..(...eH..%`......D..3.L..E..t"A........A..a.J..L.I....A..D....u..H.A.....H.\$.H.l$.H.t$.WAVAWH.. D......H.P.H.j L..I.......M..L.P0M..tLIcB<B.........t<I.<..O.I...j....w 3.I..D..9_.v...I...P...A..D;.t+..H...;_.r.L;.u.3.H.\$@H.l$HH.t$PH.. A_A^_.O$I..D...Y.O.I..B...I.......@SH.. H.......%...H..H.. [H....H.\$.WH.. H..H...........H..H..H.\$0H.. _H.....H.\$.UVWATAUAVAWH.. L..M..3.Z.H........2=..L.......-A..H.D$x....M..M.f.H.D$p3...A..y.H..(fA;A.s\|I..9.u29E8~ZHc]8A......O.H..I..A.....A..L..G.3.H...T$p.-.O.A.......I..A.....A..W.H..D..I..H...T$x._.I....H..(..H......;.\|.H.\$`H.. A_A^A]A\_^].H.\$.H.l$.H.t$ WATAUAVAWH..@L..-A........ ...H.L$ D..H..3...D.g.E..H.L$ A....E..W.H.L$$..E..W.H.L$(..E..W.H.L$,..E..W.H.L$0..E..W`H.L$4..E..H.L$8....E..W H.L$<....O.B....../.H...5...M..E3.L..A..H.........A..Y.I.q0H..(H#.fE;i.......I..D.C.A.....A.....E..A#.A...A#.A....s..K.A..@....H.....OH..B..I..RD.T. A....A....D.CT. ..u.A..@t.A.A ..E..y.A.A$..t..K.L.L$pH...E.

C:\Program Files\Windows Mail\arphaDump64.dll

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	6.391182582162269
Encrypted:	false
SSDEEP:	3072:qzZrTgN6uyqfkqc53wuY+OrGW2LRKK9+R/BsP3VkxQO6yOxaXLNC3dvMvuTYp:ksxkmyLRKiM/BsNd3yGaXpruT2
MD5:	1184B14D782403EAF5EB02DFA36777C5
SHA1:	7C6FBCFC3C26B1BFB232DADCE23F31124468BD72
SHA-256:	ACC214BCA1EE6212144EC1F45F247389FD81C462C8D4C4D85B323198F911759A
SHA-512:	B378B9D3A51919654A8C5D56B6359F870EC9C14C7EFB9F56BAB6F547CDF5A45A1A9BE793C2461752196B8BA64C7ED9CDCBE6E34BFFF68A8C05FA8CAA8A96FB5B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: install.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K+...Js..Js..Js.D2p..Js.D2v..Js.D2w..Js...p..Js...w..Js...v.,Js.D2r..Js..Jr.jJs...z..Js...s..Js.....Js...q..Js.Rich.Js.................PE..d....DDg.........." ...*.............^....................................................`..........................................,.......-..<............p..........................p.......................(.......@............................................text...P~.......................... ..`.rdata.............................@..@.data....&...@.......,..............@....pdata.......p.......B..............@..@.rsrc................X..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................

C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3188
Entropy (8bit):	3.559862861079417
Encrypted:	false
SSDEEP:	48:yei1q9tNTPQOYZj9c9V9Lbra+iaiudupRCRvA9ufAuRa7T5XhPsV8ic4dTCp+++:t7U4diaigVA9ll7dhFFb+
MD5:	53DCF71FCE78EA4C7B41FB4D973E5815
SHA1:	46FB4C836823ABC49A153F6385D66C5F9E0CA30D
SHA-256:	464DAC2210C387ADA19C7DF46AE18B628E1D8F9EA34DD7EDF812289CFECAF4DB
SHA-512:	BF9C4DBEC061FE85A099C4D8E31C09B75F9B8CDDD554CA0F241A63E08B463242A30272B423C0ED9F5A38844A89924530C358442EB898837CC00B1368C439008B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.A.u.t.h.o.r.>.S.Y.S.T.E.M.<./.A.u.t.h.o.r.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.M.i.c.r.o.s.o.f.t. .E.d.g.e. .U.p.d.a.t.e. .T.a.s.k. .M.a.c.h.i.n.e.C.o.r.e.<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t.E.d.g.e.U.p.d.a.t.e.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.B.o.o.t.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.B.o.o.t.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.S.-.1.-.5.-.1.8.<./.U.s.e.r.I.d.

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4680
Entropy (8bit):	3.711304454019116
Encrypted:	false
SSDEEP:	96:pYMguQII4iT6h4aGdinipV9ll7UY5HAmzQ+:9A4b/xne7HO+
MD5:	B8134437D77DE9B7422118FD637ADB93
SHA1:	1CF615F321B0D915D35DBAF49AAD4D46A9D0B599
SHA-256:	2817D825CEB7D5B38D9A1AE85EE7BD3E0C50C50682A008F5EA86BE849B045018
SHA-512:	851F9E96B08BB5BFD82FF846A1A6B0FDD557A5C9DEF9EF301D38B1BD1A4B5AD342A031B84A755229A6842112777BF7D0E63A1C5084ED29ED18A40AF680F2C7DA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.000894456502069
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	png131.exe
File size:	28'080'640 bytes
MD5:	cc229473f79f7c6b26f368dc07731472
SHA1:	0969d6ea4eee31e7ee3d780bf0fe0c783f61ba49
SHA256:	a335d89038645fc3facd680615e971e97e79c967d3d44e04c089ef69543f6fbe
SHA512:	9ef639cb2b756d83da5b919b62962030f7e5d68ec2aa25fcd3e16d0376906f26ea79a56eb552c6265c666cf8c72553c968516d59e2059fe9864ab24a0c09a624
SSDEEP:	393216:CbAIziPq0N354zcub/ojHVgQOp2X4PIH1m9htJsv6tWKFdu9Co:C9C1nYP6m9hi
TLSH:	4D57CF07B2D516E5E4A2E178DA03C117FB71B018A76183DB24A986D92F73BF4AD3B350
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS moda....$.........................................L.........................Q.......................................s.......a..................

File Icon


Icon Hash:	010313191b296206

Static PE Info

General

Entrypoint:	0x140a36b74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x674FEE27 [Wed Dec 4 05:52:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3d7edc08d2da4fe82b77b2b3925b45ff

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0D7D060E10h
dec eax
add esp, 28h
jmp 00007F0D7D06015Fh
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
mov edx, 00000FA0h
dec eax
lea ecx, dword ptr [01041B02h]
call dword ptr [00122C44h]
dec eax
lea ecx, dword ptr [00ED9975h]
call dword ptr [00122E87h]
dec eax
mov ebx, eax
dec eax
test eax, eax
jne 00007F0D7D0602F7h
dec eax
lea ecx, dword ptr [00E93890h]
call dword ptr [00122E72h]
dec eax
mov ebx, eax
dec eax
test eax, eax
je 00007F0D7D060361h
dec eax
lea edx, dword ptr [00ED9993h]
dec eax
mov ecx, ebx
call dword ptr [00122E52h]
dec eax
lea edx, dword ptr [00ED99A3h]
dec eax
mov ecx, ebx
dec eax
mov edi, eax
call dword ptr [00122E3Fh]
dec eax
test edi, edi
je 00007F0D7D0602F7h
dec eax
test eax, eax
je 00007F0D7D0602F2h
dec eax
mov dword ptr [01041AC6h], edi
dec eax
mov dword ptr [01041AC7h], eax
jmp 00007F0D7D060300h
inc ebp
xor ecx, ecx
inc ebp
xor eax, eax
xor ecx, ecx
inc ecx
lea edx, dword ptr [ecx+01h]
call dword ptr [00122B5Bh]
dec eax
mov dword ptr [01041A74h], eax
dec eax
test eax, eax
je 00007F0D7D060306h
xor ecx, ecx
call 00007F0D7D05FE09h
test al, al
je 00007F0D7D0602FBh
dec eax
lea ecx, dword ptr [0000001Dh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5a8c0	0x1b8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1aed000	0x1398	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xbc663c	0x88b00	.vmp2
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ad3000	0x19e60	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1957b98	0x1c	.vmp2
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1957d00	0x28	.vmp2
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1957bc0	0x138	.vmp2
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb59000	0x1898	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb55a04	0xb55c00	631adc26ab7790948aeb63f37659b3bc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp0	0xb57000	0x16d0	0x1800	2e6d9419ef392eb3eb4d124242b7a28c	False	0.349609375	data	6.28892411727047	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.idata	0xb59000	0x6a34	0x6c00	6678589612456acf32093b6e2e89d66b	False	0.3060980902777778	data	4.851394029366992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.enigma1	0xb60000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.enigma2	0xb61000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp1	0xb62000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp2	0xb63000	0xf1785c	0xefd600	a7f9c633e6031a26e12f327264a4cf0f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.arch	0x1a7b000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.srdata	0x1a7c000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x1a7d000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.xpdata	0x1a7e000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.xtls	0x1a7f000	0x10	0x200	299913f1761f4d88c8238ba7474d01b0	False	0.05078125	data	0.19977565608732903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.themida	0x1a80000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.dsstext	0x1a81000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.qtmetad	0x1a82000	0x536	0x600	bfd0a37e057f358d80d1716d9a9abd7e	False	0.24609375	data	5.0500249701877475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.qtmimed	0x1a83000	0x4ece5	0x4ee00	2d32d357ab751ffbbb513570c6ee6986	False	0.997458770800317	gzip compressed data, original size modulo 2^32 0	7.998000978505572	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
_RDATA	0x1ad2000	0x130	0x200	26517bd6bd3607e6b697fd59e99f1ac6	False	0.333984375	data	2.694237202954144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1ad3000	0x19e60	0x1a000	d74a832c4b8e930ead621a813cedadc2	False	0.1108867938701923	data	5.472923913242694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1aed000	0x2000	0x1400	1664571f6fa49c84f3905e733b1a5bc2	False	0.4208984375	data	4.802530000860704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1aed2f4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.39919354838709675
RT_ICON	0x1aed5dc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5168918918918919
RT_STRING	0x1aed704	0x142	data			0.6242236024844721
RT_STRING	0x1aed848	0x114	data			0.7644927536231884
RT_STRING	0x1aed95c	0xfe	AmigaOS bitmap font "\017_\034 %", 15464 elements, 2nd, 3rd			0.8464566929133859
RT_STRING	0x1aeda5c	0x68	data			0.75
RT_STRING	0x1aedac4	0xb4	data			0.6277777777777778
RT_STRING	0x1aedb78	0xae	data			0.5344827586206896
RT_RCDATA	0x1aedc28	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x1aedc54	0x22	data	English	United States	1.0
RT_VERSION	0x1aedc78	0x39c	data	English	United States	0.33874458874458874
RT_MANIFEST	0x1aee014	0x383	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4638487208008899

Imports

DLL	Import
WTSAPI32.dll	WTSFreeMemory, WTSQuerySessionInformationW
UxTheme.dll	GetThemeColor, GetThemeInt, GetThemeEnumValue, GetThemeMargins, GetThemePropertyOrigin, GetThemeTransitionDuration, CloseThemeData, OpenThemeData, GetThemeBackgroundRegion, IsThemeBackgroundPartiallyTransparent, GetThemeBool, SetWindowTheme, IsThemeActive, IsAppThemed, GetCurrentThemeName, GetThemePartSize, GetThemeSysColor, DrawThemeText, DrawThemeParentBackground, DrawThemeBackground, GetWindowTheme
dwmapi.dll	DwmSetWindowAttribute, DwmIsCompositionEnabled, DwmEnableBlurBehindWindow, DwmGetWindowAttribute
GDI32.dll	SelectObject, CreateDIBSection, GdiFlush, BitBlt, OffsetRgn, SetLayout, GetDeviceCaps, CreateCompatibleBitmap, CreateDCW, CreateBitmap, ChoosePixelFormat, SetPixelFormat, DescribePixelFormat, GetPixelFormat, SwapBuffers, GetBitmapBits, GetObjectW, CreateFontIndirectW, EnumFontFamiliesExW, GetFontData, GetStockObject, AddFontResourceExW, RemoveFontResourceExW, AddFontMemResourceEx, RemoveFontMemResourceEx, GetTextMetricsW, GetTextFaceW, GetCharABCWidthsW, GetCharABCWidthsFloatW, GetGlyphOutlineW, GetOutlineTextMetricsW, GetTextExtentPoint32W, GetCharABCWidthsI, SetBkMode, SetGraphicsMode, SetTextColor, SetTextAlign, SetWorldTransform, ExtTextOutW, GetTextCharsetInfo, EnumFontFamiliesW, CreateDIBitmap, GetBkColor, RealizePalette, GetSystemPaletteEntries, GetPaletteEntries, GetNearestPaletteIndex, CreatePalette, DPtoLP, SetRectRgn, PatBlt, CreateRectRgnIndirect, ScaleWindowExtEx, ScaleViewportExtEx, OffsetWindowOrgEx, SelectClipRgn, SetWindowOrgEx, SetWindowExtEx, SetViewportOrgEx, SetViewportExtEx, TextOutW, MoveToEx, SetROP2, SetPolyFillMode, GetLayout, SetMapMode, SelectPalette, ExtSelectClipRgn, SaveDC, RestoreDC, RectVisible, PtVisible, LineTo, IntersectClipRect, GetWindowExtEx, GetViewportExtEx, GetPixel, GetObjectType, GetClipBox, ExcludeClipRect, Escape, CreateSolidBrush, CreatePatternBrush, CreatePen, CreateHatchBrush, SetBkColor, CopyMetaFileW, GetDIBits, GetRegionData, DeleteObject, DeleteDC, CreateRectRgn, CreateCompatibleDC, CombineRgn, SetPixel, StretchBlt, SetDIBColorTable, CreateEllipticRgn, GetViewportOrgEx, GetTextColor, CreatePolygonRgn, Polygon, Polyline, CreateRoundRectRgn, LPtoDP, Rectangle, GetRgnBox, RoundRect, FillRgn, FrameRgn, GetBoundsRect, PtInRegion, ExtFloodFill, SetPaletteEntries, SetPixelV, OffsetViewportOrgEx, Ellipse, GetWindowOrgEx
OLEAUT32.dll	SysAllocString, SafeArrayCreateVector, SafeArrayPutElement, SysFreeString, LoadTypeLib, SysAllocStringLen, SysStringLen, SystemTimeToVariantTime, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantChangeType, VarBstrFromDate, VariantInit
IMM32.dll	ImmGetContext, ImmReleaseContext, ImmAssociateContext, ImmAssociateContextEx, ImmGetCompositionStringW, ImmGetOpenStatus, ImmNotifyIME, ImmSetCompositionWindow, ImmSetCandidateWindow, ImmGetVirtualKey, ImmGetDefaultIMEWnd
KERNEL32.dll	EnterCriticalSection, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, SetLastError, RaiseException, DecodePointer, OutputDebugStringA, GetExitCodeProcess, GetUserGeoID, GetGeoInfoW, GetTimeZoneInformation, GetModuleHandleExW, FreeLibrary, LocalReAlloc, FindFirstFileExW, FindNextChangeNotification, FindFirstChangeNotificationW, FindCloseChangeNotification, MultiByteToWideChar, LCMapStringW, CompareStringW, RegisterWaitForSingleObject, UnregisterWaitEx, SetFilePointerEx, SetEndOfFile, GetFileType, FlushFileBuffers, GetFileInformationByHandleEx, SystemTimeToFileTime, FileTimeToSystemTime, TzSpecificLocalTimeToSystemTime, MoveFileExW, MoveFileW, CopyFileW, DeviceIoControl, SetErrorMode, GetVolumePathNamesForVolumeNameW, GetTempPathW, SetFileTime, RemoveDirectoryW, GetLogicalDrives, GetFullPathNameW, GetFileInformationByHandle, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CreateDirectoryW, GetCurrentDirectoryW, GetModuleFileNameW, GetStartupInfoW, GetTickCount64, QueryPerformanceFrequency, QueryPerformanceCounter, GetFileAttributesExW, GetUserPreferredUILanguages, GetUserDefaultLCID, GetCurrencyFormatW, GetTimeFormatW, GetDateFormatW, ResetEvent, GetSystemInfo, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, ResumeThread, TerminateThread, GetThreadPriority, SetThreadPriority, GetCurrentThread, CreateThread, WaitForMultipleObjects, Sleep, WaitForSingleObject, DuplicateHandle, GetSystemDirectoryW, CreateEventW, WaitForSingleObjectEx, SetEvent, IsProcessorFeaturePresent, LoadResource, LockResource, SizeofResource, TerminateProcess, GetCurrentProcess, OutputDebugStringW, GetLocalTime, GetSystemTime, GetCommandLineW, CompareStringEx, InitializeCriticalSectionAndSpinCount, GetDriveTypeW, GetVolumeInformationW, GetLongPathNameW, FindResourceW, MulDiv, lstrcmpA, GlobalGetAtomNameW, EncodePointer, LoadLibraryExW, GlobalDeleteAtom, GlobalAddAtomW, GlobalFindAtomW, GetFileSize, LockFile, UnlockFile, lstrcmpiW, GlobalFlags, GetVersionExW, GetUserDefaultUILanguage, VirtualProtect, FileTimeToLocalFileTime, GetFileTime, SetFileAttributesW, SystemTimeToTzSpecificLocalTime, lstrcpyW, FindResourceExW, GetWindowsDirectoryW, VerSetConditionMask, VerifyVersionInfoW, GetTickCount, GetProfileIntW, SearchPathW, GetTempFileNameW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, LCMapStringEx, GetStringTypeW, GetCPInfo, RtlUnwindEx, WideCharToMultiByte, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, WriteFile, SetFilePointer, ReadFile, GetFileSizeEx, CreateFileW, GetUserDefaultLangID, GetCurrentProcessId, GlobalSize, LoadLibraryA, LoadLibraryW, GetLocaleInfoW, GlobalLock, GlobalUnlock, GlobalAlloc, OpenProcess, CheckRemoteDebuggerPresent, CreateProcessW, CloseHandle, ExpandEnvironmentStringsW, WTSGetActiveConsoleSessionId, FormatMessageW, LocalFree, GetProcAddress, GetModuleHandleW, GetCurrentThreadId, GetLastError, lstrcmpW, lstrcatW, InitializeCriticalSectionEx, LeaveCriticalSection, DeleteCriticalSection, CreateActCtxW, ActivateActCtx, DeactivateActCtx, FindActCtxSectionStringW, QueryActCtxW, InitializeCriticalSection, GlobalReAlloc, GlobalHandle, GlobalFree, GetConsoleWindow, RtlUnwind, LocalAlloc, ExitProcess, GetCommandLineA, ExitThread, FreeLibraryAndExitThread, SetStdHandle, GetConsoleMode, ReadConsoleW, GetConsoleCP, HeapQueryInformation, VirtualAlloc, VirtualQuery, GetStdHandle, IsValidLocale, EnumSystemLocalesW, SetEnvironmentVariableW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, ReleaseMutex, CreateMutexW, VirtualFree, FindNextFileW
ole32.dll	CoDisconnectObject, OleDuplicateData, CoTaskMemAlloc, StringFromGUID2, CreateStreamOnHGlobal, OleLockRunning, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, CoCreateGuid, CoGetMalloc, ReleaseStgMedium, CoTaskMemFree, DoDragDrop, CoCreateInstance, OleIsCurrentClipboard, OleFlushClipboard, OleGetClipboard, OleSetClipboard, CoInitialize, CoInitializeEx, CoUninitialize, OleUninitialize, OleInitialize, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal
SHELL32.dll	SHGetSpecialFolderLocation, SHGetDesktopFolder, DragQueryFileW, DragFinish, SHAppBarMessage, SHGetKnownFolderPath, SHGetFileInfoW, SHGetStockIconInfo, ShellExecuteW, SHCreateItemFromIDList, SHCreateItemFromParsingName, SHGetMalloc, SHGetPathFromIDListW, SHGetKnownFolderIDList, SHBrowseForFolderW, Shell_NotifyIconW, Shell_NotifyIconGetRect, CommandLineToArgvW
USER32.dll	EnableScrollBar, InvertRect, NotifyWinEvent, GetMenuDefaultItem, GetKeyNameTextW, LoadMenuW, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard, DrawStateW, SetClassLongPtrW, DrawEdge, DrawFrameControl, BringWindowToTop, CopyIcon, FrameRect, DrawIcon, UnionRect, LoadAcceleratorsW, TranslateAcceleratorW, InsertMenuItemW, UnpackDDElParam, ReuseDDElParam, GetComboBoxInfo, UnhookWindowsHookEx, UnregisterDeviceNotification, ChangeWindowMessageFilterEx, RealGetWindowClassW, EnumWindows, GetWindowTextW, CloseTouchInputHandle, GetTouchInputInfo, GetAsyncKeyState, GetMessageExtraInfo, TrackMouseEvent, GetClipboardFormatNameW, GetCursorInfo, GetIconInfo, CreateIconIndirect, CreateCursor, LoadCursorW, GetCursor, SetCursorPos, EnumDisplayDevicesW, RegisterClassW, TrackPopupMenuEx, MapVirtualKeyW, ToUnicode, ToAscii, GetKeyboardState, GetKeyState, IsZoomed, PeekMessageW, FindWindowA, SetCaretPos, ShowCaret, HideCaret, DestroyCaret, CreateCaret, IsWindowEnabled, RegisterWindowMessageW, GetKeyboardLayout, RegisterClipboardFormatW, ChangeClipboardChain, SetClipboardViewer, IsHungAppWindow, LoadIconW, EnumDisplayMonitors, GetMonitorInfoW, MonitorFromWindow, SetMenuItemInfoW, GetMenuItemInfoW, TrackPopupMenu, RemoveMenu, ModifyMenuW, AppendMenuW, InsertMenuW, IsRectEmpty, CreatePopupMenu, CreateMenu, DrawMenuBar, SetMenu, LoadImageW, GetSysColorBrush, ChildWindowFromPointEx, WindowFromPoint, GetCursorPos, GetFocus, RegisterClassExW, GetClassInfoW, UnregisterClassW, UnregisterPowerSettingNotification, RegisterPowerSettingNotification, GetKeyboardLayoutList, GetAncestor, MonitorFromPoint, DestroyIcon, DestroyCursor, GetWindow, GetWindowThreadProcessId, SetParent, GetParent, SetWindowLongPtrW, GetWindowLongPtrW, SetWindowLongW, GetWindowLongW, ScreenToClient, ClientToScreen, SetCursor, AdjustWindowRectEx, GetWindowRect, GetClientRect, SetWindowTextW, InvalidateRect, SetWindowRgn, GetUpdateRect, EndPaint, BeginPaint, SetForegroundWindow, GetForegroundWindow, DrawFocusRect, GetSystemMenu, GetMenu, ReleaseCapture, SetCapture, GetCapture, IsTouchWindow, UnregisterTouchWindow, RegisterTouchWindow, SetFocus, IsIconic, IsWindowVisible, SetWindowPlacement, GetWindowPlacement, SetWindowPos, MoveWindow, FlashWindowEx, CallNextHookEx, UpdateLayeredWindow, ShowWindow, IsChild, CreateWindowExW, AttachThreadInput, PostMessageW, SendMessageW, UpdateLayeredWindowIndirect, GetCaretBlinkTime, MessageBeep, IsWindow, GetDoubleClickTime, GetDesktopWindow, GetSysColor, ReleaseDC, GetDC, DestroyWindow, DefWindowProcW, SystemParametersInfoW, GetSystemMetrics, GetNextDlgGroupItem, DeleteMenu, ShowOwnedPopups, IntersectRect, MapDialogRect, DestroyMenu, EnableWindow, GetLastActivePopup, GetMenuStringW, OffsetRect, PostQuitMessage, CreateDialogIndirectParamW, PostThreadMessageW, WaitMessage, IsCharLowerW, MapVirtualKeyExW, ToUnicodeEx, CreateAcceleratorTableW, DestroyAcceleratorTable, CopyAcceleratorTableW, SetRect, LockWindowUpdate, SetMenuDefaultItem, CharUpperBuffW, IsClipboardFormatAvailable, DefFrameProcW, DefMDIChildProcW, TranslateMDISysAccel, SubtractRect, EndDialog, GetWindowRgn, RegisterDeviceNotificationW, CharNextExA, KillTimer, SetTimer, MsgWaitForMultipleObjectsEx, GetQueueStatus, DispatchMessageW, TranslateMessage, DrawIconEx, MessageBoxW, GetNextDlgTabItem, GetMenuState, GetSubMenu, GetMenuItemID, GetMenuItemCount, GetMessageW, GetActiveWindow, ValidateRect, SetWindowsHookExW, SetRectEmpty, SendDlgItemMessageA, CopyImage, InflateRect, FillRect, GetWindowDC, TabbedTextOutW, GrayStringW, DrawTextExW, DrawTextW, RealChildWindowFromPoint, CharUpperW, IsDialogMessageW, CheckDlgButton, WinHelpW, GetScrollInfo, SetScrollInfo, GetTopWindow, GetClassNameW, GetClassLongPtrW, PtInRect, EqualRect, CopyRect, MapWindowPoints, RemovePropW, GetPropW, SetPropW, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, ScrollWindow, RedrawWindow, SetActiveWindow, UpdateWindow, GetDlgCtrlID, GetDlgItem, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, IsMenu, GetClassInfoExW, CallWindowProcW, GetMessageTime, GetMessagePos, LoadBitmapW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, CheckMenuItem, GetWindowTextLengthW, EnableMenuItem, SetLayeredWindowAttributes
WINMM.dll	timeKillEvent, timeSetEvent, PlaySoundW
MSIMG32.dll	AlphaBlend, TransparentBlt
gdiplus.dll	GdipAlloc, GdipFree, GdiplusStartup, GdipCloneImage, GdipDisposeImage, GdipGetImageGraphicsContext, GdipGetImageWidth, GdipGetImageHeight, GdipGetImagePixelFormat, GdipGetImagePalette, GdipGetImagePaletteSize, GdipCreateBitmapFromStream, GdipCreateBitmapFromScan0, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipDeleteGraphics, GdipDrawImageI, GdipCreateBitmapFromHBITMAP, GdipCreateFromHDC, GdipSetInterpolationMode, GdipDrawImageRectI, GdiplusShutdown
OLEACC.dll	AccessibleObjectFromWindow, CreateStdAccessibleObject, LresultFromObject
WINSPOOL.DRV	ClosePrinter, OpenPrinterW, DocumentPropertiesW
SHLWAPI.dll	PathRemoveFileSpecW, PathFindExtensionW, PathStripToRootW, PathIsUNCW, StrFormatKBSizeW, PathFindFileNameW
USERENV.dll	GetUserProfileDirectoryW
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
NETAPI32.dll	NetApiBufferFree, NetShareEnum
WS2_32.dll	WSAAsyncSelect
ADVAPI32.dll	BuildTrusteeWithSidW, GetNamedSecurityInfoW, GetEffectiveRightsFromAclW, LookupAccountSidW, MapGenericMask, GetLengthSid, FreeSid, DuplicateToken, CopySid, AllocateAndInitializeSid, AccessCheck, OpenProcessToken, RegSetValueExW, RegQueryInfoKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, GetSidSubAuthorityCount, GetSidSubAuthority, SystemFunction036, RegQueryValueExW, RegOpenKeyExW, RegCloseKey

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 7, 2024 03:56:05.239944935 CET	49707	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:05.359787941 CET	7700	49707	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:05.359895945 CET	49707	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:05.360234022 CET	49707	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:05.480040073 CET	7700	49707	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:07.951991081 CET	7700	49707	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:07.952050924 CET	49707	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:07.977564096 CET	49709	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:08.097227097 CET	7700	49709	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:08.097322941 CET	49709	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:08.097444057 CET	49709	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:08.217128992 CET	7700	49709	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:08.457530022 CET	49707	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:08.471591949 CET	49710	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:08.577347994 CET	7700	49707	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:08.591334105 CET	8080	49710	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:08.591415882 CET	49710	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:08.592088938 CET	49710	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:08.711747885 CET	8080	49710	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:10.724400997 CET	7700	49709	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:10.724471092 CET	49709	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:11.238794088 CET	49709	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:11.248753071 CET	49712	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:11.255266905 CET	8080	49710	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:11.258680105 CET	49710	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:11.258680105 CET	49710	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:11.314743042 CET	49713	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:11.358539104 CET	7700	49709	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:11.368453026 CET	8080	49712	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:11.369215012 CET	49712	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:11.369215012 CET	49712	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:11.378371954 CET	8080	49710	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:11.437114000 CET	7700	49713	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:11.437597990 CET	49713	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:11.437597990 CET	49713	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:11.488995075 CET	8080	49712	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:11.557279110 CET	7700	49713	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:13.946290970 CET	8080	49712	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:13.946352959 CET	49712	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:13.946579933 CET	49712	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:13.992857933 CET	49714	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:14.052966118 CET	7700	49713	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:14.053067923 CET	49713	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:14.066246986 CET	8080	49712	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:14.112587929 CET	7700	49714	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:14.112663031 CET	49714	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:14.112806082 CET	49714	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:14.232439995 CET	7700	49714	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:14.566932917 CET	49713	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:14.572222948 CET	49715	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:14.686655045 CET	7700	49713	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:14.691884041 CET	8080	49715	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:14.691962004 CET	49715	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:14.693346024 CET	49715	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:14.813005924 CET	8080	49715	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:16.697473049 CET	7700	49714	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:16.697582960 CET	49714	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:17.207604885 CET	49714	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:17.212824106 CET	49716	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:17.274384975 CET	8080	49715	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:17.274457932 CET	49715	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:17.274723053 CET	49715	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:17.322103977 CET	49717	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:17.327368975 CET	7700	49714	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:17.332518101 CET	8080	49716	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:17.332586050 CET	49716	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:17.332715034 CET	49716	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:17.394377947 CET	8080	49715	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:17.441817045 CET	7700	49717	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:17.441912889 CET	49717	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:17.442047119 CET	49717	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:17.452333927 CET	8080	49716	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:17.561675072 CET	7700	49717	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:19.921150923 CET	8080	49716	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:19.921236038 CET	49716	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:19.921454906 CET	49716	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:19.965810061 CET	49719	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:20.041100025 CET	8080	49716	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:20.070768118 CET	7700	49717	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:20.070848942 CET	49717	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:20.085477114 CET	7700	49719	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:20.085560083 CET	49719	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:20.085689068 CET	49719	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:20.205341101 CET	7700	49719	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:20.593349934 CET	49717	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:20.600369930 CET	49721	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:20.713100910 CET	7700	49717	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:20.720154047 CET	8080	49721	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:20.720236063 CET	49721	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:20.720365047 CET	49721	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:20.840003967 CET	8080	49721	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:22.667596102 CET	7700	49719	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:22.667656898 CET	49719	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:23.176762104 CET	49719	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:23.181801081 CET	49725	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:23.296691895 CET	7700	49719	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:23.302233934 CET	8080	49725	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:23.302405119 CET	49725	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:23.303672075 CET	49725	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:23.305991888 CET	8080	49721	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:23.306582928 CET	49721	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:23.306902885 CET	49721	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:23.380780935 CET	49726	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:23.423963070 CET	8080	49725	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:23.427133083 CET	8080	49721	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:23.500484943 CET	7700	49726	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:23.500812054 CET	49726	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:23.500812054 CET	49726	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:23.620594025 CET	7700	49726	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:26.086793900 CET	7700	49726	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:26.086874008 CET	49726	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:26.598166943 CET	49726	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:26.603671074 CET	49733	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:26.717878103 CET	7700	49726	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:26.723381042 CET	8080	49733	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:26.723453045 CET	49733	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:26.723536015 CET	49733	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:26.843331099 CET	8080	49733	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:29.314424992 CET	8080	49733	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:29.314559937 CET	49733	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:29.314810038 CET	49733	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:29.360044956 CET	49739	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:29.434442043 CET	8080	49733	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:29.479753017 CET	7700	49739	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:29.480542898 CET	49739	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:29.480654955 CET	49739	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:29.600269079 CET	7700	49739	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:32.058129072 CET	7700	49739	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:32.058458090 CET	49739	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:32.566869974 CET	49739	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:32.572021008 CET	49750	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:32.686609030 CET	7700	49739	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:32.691690922 CET	8080	49750	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:32.691811085 CET	49750	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:32.691941023 CET	49750	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:32.811897993 CET	8080	49750	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:33.333790064 CET	49725	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:33.386204004 CET	49751	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:33.497082949 CET	8080	49725	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:33.505916119 CET	7700	49751	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:33.506463051 CET	49751	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:33.506597996 CET	49751	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:33.627788067 CET	7700	49751	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:35.279968023 CET	8080	49750	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:35.280045986 CET	49750	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:35.280289888 CET	49750	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:35.324872971 CET	49756	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:35.399925947 CET	8080	49750	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:35.444596052 CET	7700	49756	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:35.444655895 CET	49756	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:35.444786072 CET	49756	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:35.564407110 CET	7700	49756	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:36.135135889 CET	7700	49751	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:36.135195971 CET	49751	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:36.645148993 CET	49751	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:36.649717093 CET	49761	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:36.764822006 CET	7700	49751	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:36.769414902 CET	8080	49761	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:36.769501925 CET	49761	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:36.769598961 CET	49761	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:36.889261007 CET	8080	49761	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:37.691052914 CET	8080	49725	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:37.691112041 CET	49725	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:38.026356936 CET	7700	49756	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:38.026467085 CET	49756	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:38.535619974 CET	49756	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:38.540803909 CET	49763	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:38.655416012 CET	7700	49756	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:38.660530090 CET	8080	49763	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:38.660621881 CET	49763	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:38.660698891 CET	49763	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:38.780334949 CET	8080	49763	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:39.384293079 CET	8080	49761	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:39.384360075 CET	49761	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:39.387057066 CET	49761	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:39.506663084 CET	8080	49761	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:39.594432116 CET	49768	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:39.714087963 CET	7700	49768	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:39.714159012 CET	49768	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:39.714303017 CET	49768	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:39.833930016 CET	7700	49768	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:41.277103901 CET	8080	49763	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:41.277183056 CET	49763	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:41.277470112 CET	49763	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:41.328233957 CET	49774	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:41.397084951 CET	8080	49763	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:41.447949886 CET	7700	49774	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:41.448023081 CET	49774	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:41.448147058 CET	49774	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:41.567770004 CET	7700	49774	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:42.293976068 CET	7700	49768	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:42.294049025 CET	49768	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:42.801285028 CET	49768	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:42.806730032 CET	49776	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:42.920969009 CET	7700	49768	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:42.926388979 CET	8080	49776	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:42.926455975 CET	49776	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:42.926532030 CET	49776	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:43.046200991 CET	8080	49776	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:44.071352005 CET	7700	49774	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:44.071445942 CET	49774	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:44.582622051 CET	49774	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:44.588329077 CET	49781	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:44.702251911 CET	7700	49774	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:44.708019018 CET	8080	49781	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:44.708101034 CET	49781	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:44.708199024 CET	49781	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:44.827881098 CET	8080	49781	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:45.508758068 CET	8080	49776	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:45.508819103 CET	49776	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:45.509191036 CET	49776	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:45.559698105 CET	49787	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:45.628798962 CET	8080	49776	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:45.679346085 CET	7700	49787	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:45.679424047 CET	49787	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:45.679553986 CET	49787	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:45.799264908 CET	7700	49787	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:47.290697098 CET	8080	49781	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:47.290824890 CET	49781	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:47.291115999 CET	49781	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:47.336963892 CET	49789	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:47.410739899 CET	8080	49781	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:47.456645012 CET	7700	49789	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:47.456778049 CET	49789	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:47.456899881 CET	49789	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:47.576520920 CET	7700	49789	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:50.043591976 CET	7700	49789	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:50.043694973 CET	49789	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:50.551305056 CET	49789	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:50.567893028 CET	49799	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:50.570934057 CET	7700	49787	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:50.571168900 CET	49787	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:50.671077013 CET	7700	49789	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:50.687593937 CET	8080	49799	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:50.687669039 CET	49799	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:50.687741041 CET	49799	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:50.807410955 CET	8080	49799	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:51.082509041 CET	49787	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:51.091741085 CET	49800	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:51.202181101 CET	7700	49787	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:51.211482048 CET	8080	49800	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:51.213417053 CET	49800	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:51.217287064 CET	49800	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:51.337651014 CET	8080	49800	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:53.303133011 CET	8080	49799	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:53.303220034 CET	49799	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:53.303443909 CET	49799	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:53.343640089 CET	49806	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:53.423062086 CET	8080	49799	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:53.527060986 CET	7700	49806	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:53.527156115 CET	49806	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:53.527291059 CET	49806	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:53.647018909 CET	7700	49806	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:56.102699995 CET	8080	49800	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:56.102761030 CET	49800	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:56.102972984 CET	49800	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:56.151231050 CET	49815	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:56.166742086 CET	7700	49806	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:56.166785002 CET	49806	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:56.222615957 CET	8080	49800	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:56.270836115 CET	7700	49815	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:56.270922899 CET	49815	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:56.271034002 CET	49815	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:56.390650988 CET	7700	49815	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:56.676259995 CET	49806	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:56.681695938 CET	49818	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:56.796057940 CET	7700	49806	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:56.801390886 CET	8080	49818	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:56.801470995 CET	49818	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:56.801537037 CET	49818	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:56.921209097 CET	8080	49818	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:58.900724888 CET	7700	49815	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:58.900803089 CET	49815	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:59.410691977 CET	49815	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:59.416254997 CET	49825	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:59.428246021 CET	8080	49818	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:59.428329945 CET	49818	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:59.428582907 CET	49818	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:59.500493050 CET	49826	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:59.533581972 CET	7700	49815	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:59.538266897 CET	8080	49825	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:59.538332939 CET	49825	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:59.538418055 CET	49825	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:59.550467014 CET	8080	49818	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:59.622286081 CET	7700	49826	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:59.622359991 CET	49826	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:59.622478008 CET	49826	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:56:59.660407066 CET	8080	49825	47.238.215.73	192.168.2.5
Dec 7, 2024 03:56:59.742106915 CET	7700	49826	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:02.211699009 CET	8080	49825	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:02.211813927 CET	49825	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:02.217500925 CET	49825	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:02.257241011 CET	7700	49826	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:02.257946014 CET	49826	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:02.263619900 CET	49832	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:02.337162018 CET	8080	49825	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:02.383395910 CET	7700	49832	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:02.383485079 CET	49832	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:02.383611917 CET	49832	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:02.503294945 CET	7700	49832	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:02.770133972 CET	49826	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:02.775257111 CET	49838	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:02.889812946 CET	7700	49826	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:02.894932032 CET	8080	49838	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:02.895035982 CET	49838	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:02.895169973 CET	49838	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:03.014816999 CET	8080	49838	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:05.007740974 CET	7700	49832	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:05.008764982 CET	49832	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:05.512357950 CET	8080	49838	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:05.512471914 CET	49838	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:05.512737989 CET	49838	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:05.551321983 CET	49832	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:05.562616110 CET	49843	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:05.564205885 CET	49844	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:05.632441044 CET	8080	49838	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:05.671072006 CET	7700	49832	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:05.682883024 CET	8080	49843	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:05.683012962 CET	49843	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:05.684118986 CET	7700	49844	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:05.684192896 CET	49844	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:05.697309971 CET	49843	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:05.697493076 CET	49844	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:05.817066908 CET	8080	49843	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:05.817229033 CET	7700	49844	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:08.257257938 CET	7700	49844	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:08.257364035 CET	49844	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:08.258027077 CET	8080	49843	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:08.258080959 CET	49843	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:08.258304119 CET	49843	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:08.305098057 CET	49850	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:08.377892017 CET	8080	49843	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:08.424962044 CET	7700	49850	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:08.425080061 CET	49850	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:08.449304104 CET	49850	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:08.568998098 CET	7700	49850	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:08.805115938 CET	49844	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:08.825862885 CET	49851	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:08.924727917 CET	7700	49844	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:08.945513964 CET	8080	49851	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:08.945585012 CET	49851	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:08.945700884 CET	49851	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:09.065356970 CET	8080	49851	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:11.053868055 CET	7700	49850	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:11.053951979 CET	49850	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:11.567064047 CET	49850	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:11.572520018 CET	49861	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:11.590282917 CET	8080	49851	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:11.590384960 CET	49851	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:11.590601921 CET	49851	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:11.635560036 CET	49862	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:11.686727047 CET	7700	49850	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:11.692218065 CET	8080	49861	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:11.692290068 CET	49861	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:11.692368031 CET	49861	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:11.711864948 CET	8080	49851	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:11.755232096 CET	7700	49862	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:11.755316973 CET	49862	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:11.755438089 CET	49862	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:11.812681913 CET	8080	49861	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:11.875056028 CET	7700	49862	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:14.291618109 CET	8080	49861	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:14.291717052 CET	49861	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:14.291960955 CET	49861	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:14.342838049 CET	49868	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:14.400506020 CET	7700	49862	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:14.400558949 CET	49862	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:14.468506098 CET	8080	49861	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:14.468542099 CET	7700	49868	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:14.468617916 CET	49868	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:14.468734980 CET	49868	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:14.688244104 CET	7700	49868	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:14.910579920 CET	49862	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:14.915855885 CET	49870	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:15.030304909 CET	7700	49862	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:15.035587072 CET	8080	49870	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:15.035693884 CET	49870	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:15.035779953 CET	49870	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:15.155500889 CET	8080	49870	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:17.104571104 CET	7700	49868	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:17.104649067 CET	49868	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:17.613744020 CET	49868	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:17.619003057 CET	49876	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:17.641360998 CET	8080	49870	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:17.641441107 CET	49870	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:17.641659021 CET	49870	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:17.681652069 CET	49877	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:17.733486891 CET	7700	49868	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:17.738646984 CET	8080	49876	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:17.738713026 CET	49876	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:17.738967896 CET	49876	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:17.761264086 CET	8080	49870	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:17.801357985 CET	7700	49877	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:17.801420927 CET	49877	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:17.801959991 CET	49877	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:17.858627081 CET	8080	49876	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:17.921610117 CET	7700	49877	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:20.325373888 CET	8080	49876	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:20.325485945 CET	49876	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:20.325807095 CET	49876	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:20.375443935 CET	49886	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:20.445399046 CET	8080	49876	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:20.495127916 CET	7700	49886	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:20.495275021 CET	49886	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:20.495414972 CET	49886	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:20.513273001 CET	7700	49877	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:20.513381958 CET	49877	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:20.615082026 CET	7700	49886	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:21.019953966 CET	49877	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:21.027569056 CET	49889	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:21.139724970 CET	7700	49877	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:21.147300959 CET	8080	49889	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:21.147375107 CET	49889	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:21.147470951 CET	49889	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:21.267139912 CET	8080	49889	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:23.134948015 CET	7700	49886	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:23.135015011 CET	49886	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:23.644963980 CET	49886	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:23.650824070 CET	49894	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:23.764672041 CET	7700	49886	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:23.770490885 CET	8080	49894	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:23.770576954 CET	49894	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:23.770714998 CET	49894	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:23.775928020 CET	8080	49889	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:23.775993109 CET	49889	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:23.776309967 CET	49889	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:23.820657969 CET	49895	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:23.890377045 CET	8080	49894	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:23.895908117 CET	8080	49889	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:23.940324068 CET	7700	49895	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:23.940395117 CET	49895	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:23.940524101 CET	49895	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:24.060165882 CET	7700	49895	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:26.376126051 CET	8080	49894	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:26.376287937 CET	49894	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:26.376538992 CET	49894	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:26.421947002 CET	49900	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:26.496290922 CET	8080	49894	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:26.541651011 CET	7700	49900	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:26.541784048 CET	49900	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:26.541966915 CET	49900	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:26.571909904 CET	7700	49895	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:26.571965933 CET	49895	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:26.663184881 CET	7700	49900	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:27.082518101 CET	49895	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:27.087930918 CET	49905	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:27.202260017 CET	7700	49895	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:27.207637072 CET	8080	49905	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:27.207720995 CET	49905	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:27.207837105 CET	49905	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:27.327456951 CET	8080	49905	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:29.119133949 CET	7700	49900	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:29.119235992 CET	49900	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:29.629373074 CET	49900	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:29.634790897 CET	49911	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:29.749388933 CET	7700	49900	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:29.754489899 CET	8080	49911	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:29.754581928 CET	49911	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:29.769946098 CET	49911	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:29.824336052 CET	8080	49905	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:29.824429035 CET	49905	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:29.824711084 CET	49905	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:29.875650883 CET	49913	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:29.889641047 CET	8080	49911	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:29.944344997 CET	8080	49905	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:29.995296955 CET	7700	49913	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:29.995450020 CET	49913	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:29.995606899 CET	49913	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:30.115267038 CET	7700	49913	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:32.431592941 CET	8080	49911	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:32.431677103 CET	49911	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:32.431926966 CET	49911	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:32.477480888 CET	49919	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:32.551604986 CET	8080	49911	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:32.597194910 CET	7700	49919	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:32.597284079 CET	49919	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:32.597415924 CET	49919	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:32.607912064 CET	7700	49913	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:32.607978106 CET	49913	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:32.717061043 CET	7700	49919	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:33.114001989 CET	49913	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:33.120449066 CET	49920	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:33.233735085 CET	7700	49913	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:33.240154028 CET	8080	49920	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:33.240236998 CET	49920	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:33.240331888 CET	49920	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:33.359962940 CET	8080	49920	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:35.213486910 CET	7700	49919	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:35.213551044 CET	49919	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:35.723134995 CET	49919	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:35.728013039 CET	49928	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:35.839929104 CET	8080	49920	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:35.840003967 CET	49920	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:35.840244055 CET	49920	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:35.843914986 CET	7700	49919	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:35.848872900 CET	8080	49928	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:35.848941088 CET	49928	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:35.849016905 CET	49928	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:35.884840965 CET	49931	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:35.960418940 CET	8080	49920	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:35.968919039 CET	8080	49928	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:36.004544020 CET	7700	49931	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:36.004612923 CET	49931	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:36.004723072 CET	49931	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:36.124314070 CET	7700	49931	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:38.442966938 CET	8080	49928	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:38.443192959 CET	49928	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:38.443428040 CET	49928	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:38.488472939 CET	49938	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:38.563066006 CET	8080	49928	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:38.590893030 CET	7700	49931	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:38.590951920 CET	49931	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:38.608237028 CET	7700	49938	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:38.608324051 CET	49938	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:38.608443975 CET	49938	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:38.728044987 CET	7700	49938	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:39.098077059 CET	49931	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:39.103102922 CET	49939	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:39.217753887 CET	7700	49931	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:39.222773075 CET	8080	49939	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:39.222887993 CET	49939	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:39.223170042 CET	49939	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:39.343481064 CET	8080	49939	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:41.184554100 CET	7700	49938	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:41.184617043 CET	49938	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:41.691812038 CET	49938	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:41.698798895 CET	49944	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:41.811536074 CET	7700	49938	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:41.818502903 CET	8080	49944	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:41.822474003 CET	49944	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:41.822540998 CET	49944	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:41.854243994 CET	8080	49939	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:41.854464054 CET	49939	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:41.854692936 CET	49939	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:41.897849083 CET	49945	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:41.942286968 CET	8080	49944	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:41.974582911 CET	8080	49939	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:42.017622948 CET	7700	49945	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:42.017708063 CET	49945	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:42.017873049 CET	49945	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:42.137551069 CET	7700	49945	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:44.638617039 CET	7700	49945	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:44.638679981 CET	49945	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:45.145113945 CET	49945	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:45.151070118 CET	49955	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:45.264784098 CET	7700	49945	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:45.270735979 CET	8080	49955	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:45.270808935 CET	49955	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:45.270880938 CET	49955	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:45.390533924 CET	8080	49955	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:47.898565054 CET	8080	49955	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:47.898639917 CET	49955	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:47.898905039 CET	49955	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:47.943543911 CET	49962	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:48.018512011 CET	8080	49955	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:48.063216925 CET	7700	49962	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:48.063317060 CET	49962	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:48.063437939 CET	49962	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:48.183176041 CET	7700	49962	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:49.729248047 CET	8080	49944	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:49.729306936 CET	49944	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:49.729552031 CET	49944	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:49.778522015 CET	49968	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:49.849179029 CET	8080	49944	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:49.898267031 CET	7700	49968	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:49.898399115 CET	49968	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:49.906506062 CET	49968	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:50.026369095 CET	7700	49968	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:50.653974056 CET	7700	49962	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:50.654131889 CET	49962	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:51.160649061 CET	49962	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:51.171557903 CET	49971	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:51.280411959 CET	7700	49962	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:51.291224957 CET	8080	49971	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:51.293925047 CET	49971	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:51.294048071 CET	49971	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:51.413690090 CET	8080	49971	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:52.510591030 CET	7700	49968	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:52.510706902 CET	49968	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:53.020041943 CET	49968	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:53.026371956 CET	49975	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:53.139627934 CET	7700	49968	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:53.146032095 CET	8080	49975	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:53.146111012 CET	49975	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:53.146378040 CET	49975	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:53.266004086 CET	8080	49975	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:53.872989893 CET	8080	49971	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:53.873104095 CET	49971	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:53.873419046 CET	49971	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:53.925426960 CET	49980	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:53.993154049 CET	8080	49971	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:54.045350075 CET	7700	49980	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:54.045449972 CET	49980	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:54.045589924 CET	49980	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:54.165460110 CET	7700	49980	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:55.775860071 CET	8080	49975	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:55.776016951 CET	49975	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:55.776268959 CET	49975	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:55.822133064 CET	49986	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:55.895934105 CET	8080	49975	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:55.941884041 CET	7700	49986	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:55.941950083 CET	49986	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:55.942085981 CET	49986	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:56.061681032 CET	7700	49986	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:56.664369106 CET	7700	49980	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:56.664459944 CET	49980	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:57.176259995 CET	49980	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:57.181576967 CET	49988	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:57.295948982 CET	7700	49980	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:57.301306963 CET	8080	49988	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:57.301388025 CET	49988	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:57.301479101 CET	49988	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:57.421072960 CET	8080	49988	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:59.976897955 CET	8080	49988	47.238.215.73	192.168.2.5
Dec 7, 2024 03:57:59.977000952 CET	49988	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:57:59.977310896 CET	49988	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:00.021351099 CET	49997	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:00.098536968 CET	8080	49988	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:00.141872883 CET	7700	49997	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:00.141947031 CET	49997	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:00.142165899 CET	49997	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:00.262639046 CET	7700	49997	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:02.731678009 CET	7700	49997	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:02.731781006 CET	49997	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:03.238667011 CET	49997	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:03.244040012 CET	50005	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:03.359124899 CET	7700	49997	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:03.363785028 CET	8080	50005	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:03.363869905 CET	50005	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:03.374767065 CET	50005	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:03.494463921 CET	8080	50005	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:05.950340033 CET	8080	50005	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:05.950481892 CET	50005	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:05.950733900 CET	50005	8080	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:06.015072107 CET	50011	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:06.066735983 CET	49986	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:06.070415020 CET	8080	50005	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:06.134763002 CET	7700	50011	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:06.138520002 CET	50011	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:06.138639927 CET	50011	7700	192.168.2.5	47.238.215.73
Dec 7, 2024 03:58:06.186459064 CET	7700	49986	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:06.258248091 CET	7700	50011	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:08.714071035 CET	7700	50011	47.238.215.73	192.168.2.5
Dec 7, 2024 03:58:08.714128017 CET	50011	7700	192.168.2.5	47.238.215.73

HTTP Request Dependency Graph

47.238.215.73

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:08.592088938 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: llCU4F+qo5jK74A+YNYU6Q== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:11.369215012 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: XLuJFIBDWavl0qvxoTvaYw== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:14.693346024 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: IyV9SKHbDr4Attaj4qGh3g== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:17.332715034 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: 6ZByfMJzxNEbmQFVIwZnWQ== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49721	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:20.720365047 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: sPtmsOMMeuQ2fCsHZGst1A== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49725	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:23.303672075 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dmZb4wSkL/hRX1a6pdHzTw== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49733	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:26.723536015 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: PdFPFyQ85QtsQoFs5za6yQ== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49750	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:32.691941023 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: yqY4f2ZtUDGhCdfQaQBGvw== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49761	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:36.769598961 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: KIrTGZI4Qp/FjbsTFd1ODQ== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49763	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:38.660698891 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: V3wh5qieu1fXzyw168vTtA== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49776	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:42.926532030 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: tWC8gdRprsb7UxB4l6jbAw== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49781	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:44.708199024 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: 5FEKTurOJ30NlYKZbZZfqg== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49799	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:50.687741041 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: cSfztSz/kqNDXNj+72Drnw== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49800	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:51.217287064 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: QjWl6BaaGewxGmbcGXJn+A== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49818	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:56.801537037 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: /v3cHW4w/cl4Ii1icit4lQ== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49825	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:56:59.538418055 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: xWjQUY/Is9yTBVgUs5A+EA== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49838	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:02.895169973 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: i9LFhbBgae+u6YPH9PYEig== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49843	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:05.697309971 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: Uj25uND5HgLJzK55NVvLBQ== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49851	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:08.945700884 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: GKiu7PGR1BXkr9krdsCRgA== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49861	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:11.692368031 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: 3xOiIBIqiij/kgTdtyZX+w== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49870	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:15.035779953 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: pX6XVDPCPzsadS6Q+Isddg== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49876	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:17.738967896 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: bOiLiFRa9U81WVlCOfDk8A== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49889	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:21.147470951 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: MlOAu3XzqmJQPIT0elWqaw== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49894	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:23.770714998 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: +b5075aLYHVqH6+mu7tw5g== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49905	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:27.207837105 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: vylpI7cjFoiFAtpY/CA2YQ== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49911	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:29.769946098 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: hpRdV9i8y5ug5QULPoX92w== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49920	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:33.240331888 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: TP9Si/lUga67yS+9f+vDVg== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49928	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:35.849016905 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: E2lGvhrsN8HWrFpvwFCJ0Q== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49939	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:39.223170042 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: 2dQ78juF7NTxj4UhAbVPTA== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49944	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:41.822540998 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: oD8vJlwdoucMcrDUQhsWxg== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49955	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:45.270880938 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: ZqokWny1WPonVduGg4DcQQ== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49971	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:51.294048071 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: i/izKMkZ/3xlvel7cMKqCg== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49975	47.238.215.73	8080	6204	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:53.146378040 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: InFajtRMPNduXqIM2zns3g== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49988	47.238.215.73	8080	7116	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:57:57.301479101 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: GM6cjwtJa6Kbgz/g84w3AA== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Session ID	Source IP	Source Port	Destination IP	Destination Port
34	192.168.2.5	50005	47.238.215.73	8080

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 03:58:03.374767065 CET	255	OUT	GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: 47.238.215.73 Origin: http://47.238.215.73 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: paSF90161sjRSpVEdVfD9Q== Sec-WebSocket-Protocol: http Sec-WebSocket-Version: 13

Target ID:	0
Start time:	21:56:01
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\png131.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\png131.exe"
Imagebase:	0x7ff62a170000
File size:	28'080'640 bytes
MD5 hash:	CC229473F79F7C6B26F368DC07731472
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: INDICATOR_EXE_Packed_Enigma, Description: Detects executables packed with Enigma, Source: 00000000.00000002.2042505160.00007FF62A170000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: INDICATOR_EXE_Packed_Enigma, Description: Detects executables packed with Enigma, Source: 00000000.00000000.2017630234.00007FF62A170000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:56:02
Start date:	06/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	21:56:03
Start date:	06/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	21:56:04
Start date:	06/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Imagebase:	0x7ff669820000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	21:56:05
Start date:	06/12/2024
Path:	C:\Program Files\Windows Mail\arphaCrashReport64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Mail\arphaCrashReport64.exe"
Imagebase:	0x7ff624970000
File size:	238'384 bytes
MD5 hash:	8B5D51DF7BBD67AEB51E9B9DEE6BC84A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:56:06
Start date:	06/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	21:56:06
Start date:	06/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
Imagebase:	0x7ff669820000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	76.4%
Total number of Nodes:	110
Total number of Limit Nodes:	4

Executed Functions

Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211
servicestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00000001800015E5
memcpy.NTDLL ref: 0000000180001609
malloc.MSVCRT ref: 0000000180001613
memset.NTDLL ref: 0000000180001648
memset.NTDLL ref: 00000001800016A8
GetModuleFileNameW.KERNEL32 ref: 00000001800016BA
malloc.MSVCRT ref: 00000001800016CD
memset.NTDLL ref: 00000001800016E7
memcpy.NTDLL ref: 00000001800016F5
OpenSCManagerW.ADVAPI32 ref: 0000000180001789
EnumServicesStatusExW.ADVAPI32 ref: 00000001800017D0
malloc.MSVCRT ref: 00000001800017E2
memset.NTDLL ref: 00000001800017FC
EnumServicesStatusExW.ADVAPI32 ref: 0000000180001838
CloseServiceHandle.ADVAPI32 ref: 0000000180001845
free.MSVCRT ref: 000000018000184E
CloseServiceHandle.ADVAPI32 ref: 0000000180001856
lstrcmpiW.KERNEL32 ref: 0000000180001881

Strings

Schedule, xrefs: 0000000180001872

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
String ID: Schedule
API String ID: 3636854120-2739827629
Opcode ID: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
Instruction ID: 6ee3f7f16e62e9fbbf62cb728b63543f6f6100922e48a7ada6915e3d38cfd098
Opcode Fuzzy Hash: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
Instruction Fuzzy Hash: 84A1AE36705B8886EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700

Function 00000001800080F2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
memorynativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000817B
WriteProcessMemory.KERNELBASE ref: 000000018000820C
memset.NTDLL ref: 0000000180008354
memcpy.NTDLL ref: 0000000180008375
NtAlpcConnectPort.NTDLL ref: 00000001800083E7

Strings

Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!, xrefs: 0000000180008315
0, xrefs: 000000018000828B

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: AllocAlpcConnectMemoryPortProcessVirtualWritememcpymemset
String ID: 0$Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!
API String ID: 2322259470-3460289035
Opcode ID: c43cf6f9343ddec1ca79c7315b89c45580cd43461ba35576a3c26a51ac169fb6
Instruction ID: a438414d86da3f9fa76c6e2917a93b97ec5bb287934b9f4f7f73d30ebcaf7dce
Opcode Fuzzy Hash: c43cf6f9343ddec1ca79c7315b89c45580cd43461ba35576a3c26a51ac169fb6
Instruction Fuzzy Hash: 6D713DB5324EC891EBA5CF65E8587DA6362F788798F80A216DE4D07668DF3CC249C700

Function 0000000180009BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 0000000180009CB9

Strings

@, xrefs: 0000000180009CA1

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
Instruction ID: 13e2f726a9112c9c31c995d983c9da114070f7450b087ebba6d3042457f4b947
Opcode Fuzzy Hash: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
Instruction Fuzzy Hash: 8F41CF32318B9881EB65CF62F854BD67764F788784F519116EE8D43B14DF38C61AC700

Function 0000000180005824 Relevance: 3.0, APIs: 2, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.MSVCRT ref: 000000018000587E
NtQuerySystemInformation.NTDLL ref: 00000001800058CD

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: InformationQuerySystemrealloc
String ID:
API String ID: 4089764311-0
Opcode ID: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
Instruction ID: b0525076bbbf58c043072cd616ac76dc382e5d39b6996fcf6a95a9be821e6ce1
Opcode Fuzzy Hash: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
Instruction Fuzzy Hash: 27015EB632498485FB55CBA6E86839BB362E38CBD4F44E0269E0D47758CE28C1098700

Function 00000001800054D5 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE ref: 000000018000559C

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
Instruction ID: 9c50cbf5d08d3b6d4a605893f6b359a3682b26f1feaf6ace4ca51b493498b96a
Opcode Fuzzy Hash: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
Instruction Fuzzy Hash: 9211BFB1614B8885FB61CFA5E8187C773A0E38D794F45A116DE4E17B64CF38C209C704

Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 000000018000194B
GetModuleFileNameW.KERNEL32 ref: 000000018000195D
wcsstr.NTDLL ref: 000000018000196F
IsUserAnAdmin.SHELL32 ref: 000000018000197A
ExitProcess.KERNEL32 ref: 00000001800019A1

Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 00000001800015E5
Part of subcall function 00000001800015B0: memcpy.NTDLL ref: 0000000180001609
Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 0000000180001613
Part of subcall function 00000001800015B0: memset.NTDLL ref: 0000000180001648
Part of subcall function 00000001800015B0: memset.NTDLL ref: 00000001800016A8
Part of subcall function 00000001800015B0: GetModuleFileNameW.KERNEL32 ref: 00000001800016BA
Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 00000001800016CD
Part of subcall function 00000001800015B0: memset.NTDLL ref: 00000001800016E7
Part of subcall function 00000001800015B0: memcpy.NTDLL ref: 00000001800016F5
Part of subcall function 00000001800015B0: OpenSCManagerW.ADVAPI32 ref: 0000000180001789

ExitProcess.KERNEL32 ref: 000000018000198E

Strings

svchost.exe, xrefs: 0000000180001963

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
String ID: svchost.exe
API String ID: 2075570005-3106260013
Opcode ID: 79fe10d2032a91db138303a6d4bba14be8b863467a7872a6f2e5965e82f79385
Instruction ID: bee279387a080e4ef1cf93fe2260fe9373c10eb3ce040ed65f2ee5617e8a23f3
Opcode Fuzzy Hash: 79fe10d2032a91db138303a6d4bba14be8b863467a7872a6f2e5965e82f79385
Instruction Fuzzy Hash: 87019631310A4C81FBAADB21E4A93DA6360BB8C795F449025A95E46695DF3CC34CC740

Function 000000018000AD3E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000ADC2

Strings

@, xrefs: 000000018000ADAC

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
Instruction ID: 6b845daad974ccd9c6abd76d61111d535f536517db2d34ef27256cbb8d76cfd7
Opcode Fuzzy Hash: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
Instruction Fuzzy Hash: 7B016DB5729A8C41FBA9CBA1F465BD62360A78DBD4F40A21A9D0E17B55DE2CC2068304

Function 000000018000A9BE Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 000000018000AA41

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
Instruction ID: 251b8e02f3a2b925dc00676b0f08ae0c6924386de3889a0ff5d432a66f8cfcc3
Opcode Fuzzy Hash: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
Instruction Fuzzy Hash: 75012CB5619E8C41FBA9CBA1F464BDA6774E78DB94F40A11ADE0E17B51DF28C20AC304

Function 0000000180008E30 Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAdjustPrivilege.NTDLL ref: 0000000180008E96

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: AdjustPrivilege
String ID:
API String ID: 3260937286-0
Opcode ID: 0831086ae50f2ba65709bcbf1c33f12cfd0f3053b93a604bdcfa268e10cb0fbc
Instruction ID: 04bb496a426d1b43e6b52f20395e61ae4e41d159ec3593a713d9b4970c529e46
Opcode Fuzzy Hash: 0831086ae50f2ba65709bcbf1c33f12cfd0f3053b93a604bdcfa268e10cb0fbc
Instruction Fuzzy Hash: A5F04F3A334F8C81EBE9DB21E85979667A0B74CB98F41A406ED4D43764CE3DC2158B00

Function 0000000180005A0D Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessId.KERNELBASE ref: 0000000180005A81

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: Process
String ID:
API String ID: 1235230986-0
Opcode ID: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
Instruction ID: d652ffa87c38ed1c04ac93e0a0d2335ef1528c7a1f19fbd04ef7ff50280f2555
Opcode Fuzzy Hash: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
Instruction Fuzzy Hash: 0C018BB271490485EB54CB59E4503AB7371F78DBD8F50A122EF4E87764DF29C256C704

Function 000000018000AF22 Relevance: 1.5, APIs: 1, Instructions: 31
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000AF9F

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
Instruction ID: 56856a108c934b35fd8b12db096080665d1aff2e22ecb35535ebb708edeb7d18
Opcode Fuzzy Hash: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
Instruction Fuzzy Hash: 9101E8B5319E8891FBA9CB52E898386A362A78DBD0F51D1169D0D47768CE2DC109C304

Function 000000018000A8B2 Relevance: 1.5, APIs: 1, Instructions: 30
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000A932

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
Instruction ID: 440d9c2e63d84a318507e4d3145013176a8cc7cafd38941c5fd7eab054e276a3
Opcode Fuzzy Hash: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
Instruction Fuzzy Hash: 4A013CF5319E8881FBA5CB56E898786A762E78EBD4F41D1168D4D0B768CF3DC109C304

Function 000000018000B100 Relevance: 1.5, APIs: 1, Instructions: 30
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 000000018000B17E

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
Instruction ID: 24c97e1a4b5bf787aa031fe235fe3c6da918f95ea593df74073bd4adbefb4954
Opcode Fuzzy Hash: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
Instruction Fuzzy Hash: 73F03CF5329E9981FBA5CB12EC58786A322F789BD4F41E1168D0D4B768CE2DC2098384

Non-executed Functions

Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 000000018000103C
malloc.MSVCRT ref: 00000001800010C9
memcpy.NTDLL ref: 00000001800010EB
memcpy.NTDLL ref: 0000000180001100
memset.NTDLL ref: 00000001800011B4
wsprintfW.USER32 ref: 00000001800011D5
CreateFileW.KERNEL32 ref: 0000000180001203
GetLastError.KERNEL32 ref: 0000000180001212
WriteFile.KERNEL32 ref: 0000000180001233
GetLastError.KERNEL32 ref: 000000018000123D
CloseHandle.KERNEL32 ref: 0000000180001246
Sleep.KERNEL32 ref: 0000000180001251
memset.NTDLL ref: 0000000180001266
wsprintfW.USER32 ref: 0000000180001287
CreateFileW.KERNEL32 ref: 00000001800012B5
GetLastError.KERNEL32 ref: 00000001800012C4
WriteFile.KERNEL32 ref: 00000001800012E5
GetLastError.KERNEL32 ref: 00000001800012EF
CloseHandle.KERNEL32 ref: 00000001800012F8
Sleep.KERNEL32 ref: 0000000180001303
memset.NTDLL ref: 0000000180001318
wsprintfW.USER32 ref: 0000000180001339
CreateFileW.KERNEL32 ref: 0000000180001367
GetLastError.KERNEL32 ref: 0000000180001376
WriteFile.KERNEL32 ref: 0000000180001393
GetLastError.KERNEL32 ref: 000000018000139D
CloseHandle.KERNEL32 ref: 00000001800013A6
Sleep.KERNEL32 ref: 00000001800013B1
VirtualAlloc.KERNEL32 ref: 00000001800013D4
memcpy.NTDLL ref: 00000001800013F0
CreateThread.KERNEL32 ref: 000000018000140C
VariantInit.OLEAUT32 ref: 0000000180001441
SysAllocString.OLEAUT32 ref: 00000001800014A3
GetLastError.KERNEL32 ref: 00000001800014BE
memset.NTDLL ref: 00000001800014D6
wsprintfW.USER32 ref: 00000001800014F4
memset.NTDLL ref: 000000018000152F
memcpy.NTDLL ref: 0000000180001544
CreateThread.KERNEL32 ref: 0000000180001562

Strings

%s\%s, xrefs: 00000001800011C7, 0000000180001279, 000000018000132B, 00000001800014E9
\Microsoft\Windows, xrefs: 000000018000149C

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
String ID: %s\%s$\Microsoft\Windows
API String ID: 1085075972-4137575348
Opcode ID: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
Instruction ID: ca852493329d7e8b29278f03f5207e3e8a0b6c409a20f5d7edd43a4be3d27a44
Opcode Fuzzy Hash: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
Instruction Fuzzy Hash: 4DF18A32610F8985F7A6CF24E8087DD33A0F78DBA8F449215EE9A17694EF38C249C700

Function 0000000180001A10 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32 ref: 0000000180001A3B
CLSIDFromString.OLE32 ref: 0000000180001CFA
IIDFromString.OLE32 ref: 0000000180001D0D
CoCreateInstance.OLE32 ref: 0000000180001D2C

Strings

X:^:, xrefs: 0000000180001AE8
\:[:, xrefs: 0000000180001B9B
:Y:, xrefs: 0000000180001C3F
X:[:, xrefs: 0000000180001BAA
:, xrefs: 0000000180001CA0
^:G:, xrefs: 0000000180001B44
A::, xrefs: 0000000180001A4F
Y:\:, xrefs: 0000000180001AD8
:_:, xrefs: 0000000180001AF0
\:^:, xrefs: 0000000180001C4D
Y::, xrefs: 0000000180001C46

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: FromString$CreateInitializeInstance
String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
API String ID: 511945936-2205580742
Opcode ID: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
Instruction ID: 28b9f900473ef5d70d4cda544e42fab565c9dc4f26e78512e927f69b0d8a042f
Opcode Fuzzy Hash: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
Instruction Fuzzy Hash: 0291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00

Function 0000000180001D60 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 227memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000180001DA5
SysAllocString.OLEAUT32 ref: 0000000180001DE4
SysAllocString.OLEAUT32 ref: 0000000180001DF0
IIDFromString.OLE32 ref: 0000000180001F31
SysAllocString.OLEAUT32 ref: 0000000180001F61
SysAllocString.OLEAUT32 ref: 0000000180001F71
VariantInit.OLEAUT32 ref: 0000000180001FEA
SysAllocString.OLEAUT32 ref: 0000000180001FF7

Strings

SYSTEM, xrefs: 0000000180001DD9
{4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}, xrefs: 0000000180001F26

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: String$Alloc$FromInitVariant
String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
API String ID: 929278495-107290059
Opcode ID: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
Instruction ID: 371f9a688604c33e3b5ae190077701ce0554801126743d20ac49bde758192535
Opcode Fuzzy Hash: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
Instruction Fuzzy Hash: E5B1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300

Function 0000000180028464 Relevance: 14.7, APIs: 9, Instructions: 1208COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00000001800284AD
_invalid_parameter_noinfo.LIBCMT ref: 0000000180028AB8
_invalid_parameter_noinfo.LIBCMT ref: 0000000180028C7B
_invalid_parameter_noinfo.LIBCMT ref: 0000000180028E82
_invalid_parameter_noinfo.LIBCMT ref: 0000000180029146
_invalid_parameter_noinfo.LIBCMT ref: 0000000180029341
memcpy_s.LIBCPMT ref: 000000018002942F
memcpy_s.LIBCPMT ref: 00000001800294DA
memcpy_s.LIBCPMT ref: 00000001800295A3

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID:
API String ID: 808467561-0
Opcode ID: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
Instruction ID: 4599084cfb13f8c747939fbc3aba35a6bd4e8a08bbcc0f0b71949d4f47730483
Opcode Fuzzy Hash: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
Instruction Fuzzy Hash: 5FB2E0766022998BE7A7CE69D544BED37A5F78C3C8F509125EA0657B88DF34CB48CB00

Function 0000000180007550 Relevance: 9.2, Strings: 7, Instructions: 485COMMON

Download Yara Rule

Strings

ntdll.dll, xrefs: 000000018000780A
NtAlpcCreatePort, xrefs: 00000001800078E1
?Vse4", xrefs: 000000018000759B
NtAlpcConnectPort, xrefs: 0000000180007C5F
TpAllocAlpcCompletion, xrefs: 0000000180007A0A
\RPC Control\, xrefs: 0000000180007729
NtAlpcSetInformation, xrefs: 0000000180007B33

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID: ?Vse4"$NtAlpcConnectPort$NtAlpcCreatePort$NtAlpcSetInformation$TpAllocAlpcCompletion$\RPC Control\$ntdll.dll
API String ID: 0-3440571002
Opcode ID: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
Instruction ID: 8c3100648684ed6cf3a6acba9f1e9974d33f54458c7afc613a7cd7d66638faa8
Opcode Fuzzy Hash: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
Instruction Fuzzy Hash: 53124DF5720E9891EF94CBB9E8687C66362F78D798F81A117DE0D57624DE38C20AC700

Function 0000000180016D88 Relevance: 7.0, Strings: 5, Instructions: 783COMMON

Download Yara Rule

Strings

__swift_2, xrefs: 0000000180017D34
__unaligned, xrefs: 0000000180017A1E
__restrict, xrefs: 0000000180017B37
call, xrefs: 0000000180016FE8
__swift_1, xrefs: 0000000180017D10

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: ExceptionThrow
String ID: __restrict$__swift_1$__swift_2$__unaligned$call
API String ID: 432778473-3141380587
Opcode ID: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
Instruction ID: 673e966dcc0d85f334313fac89718d38bf41ed5ef13417959e8c730922fdb805
Opcode Fuzzy Hash: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
Instruction Fuzzy Hash: 5C627E72701E8882EB86EB25D4583DD27A1FB8EBD4F408125FA5E577A6DF38C649C700

Function 0000000180023B98 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180023BFC

Strings

gfffffff, xrefs: 0000000180023E99

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701

Function 0000000180003DBC Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

C:\windows\system32\, xrefs: 0000000180003F43
WinSta0\Default, xrefs: 000000018000409C
taskmgr.exe, xrefs: 0000000180003F94
C:\windows\, xrefs: 00000001800040A8

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$taskmgr.exe
API String ID: 0-638001070
Opcode ID: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
Instruction ID: 1bf4e9e1e70513e3816d114cab4aa84c7a719184b3830627372934e1f9606700
Opcode Fuzzy Hash: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
Instruction Fuzzy Hash: 0C8127F5324E9982EF95CBA8F8697D66322F7897D8F80A112CD1E57624DE38D209C704

Function 0000000180003AE0 Relevance: 5.1, Strings: 4, Instructions: 116COMMON

Download Yara Rule

Strings

C:\windows\system32\, xrefs: 0000000180003B90
winver.exe, xrefs: 0000000180003BE1
WinSta0\Default, xrefs: 0000000180003C39
C:\windows\, xrefs: 0000000180003C45

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$winver.exe
API String ID: 0-1160837885
Opcode ID: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
Instruction ID: 55855d67a1f766f1614c6ad6b77d44964cb4204ffe99e224a87b86ff19b563fd
Opcode Fuzzy Hash: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
Instruction Fuzzy Hash: C841A4B5324E9882FF55CB69F8687966322F789BD8F40A116CD5E4B764DE3CC20AC704

Function 0000000180028038 Relevance: 4.8, APIs: 3, Instructions: 317COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 000000018002809E
memcpy_s.LIBCPMT ref: 00000001800280C9

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
Instruction ID: 57088630f82899a46a4f04304140a90d468cb093ad556e4d18a7d8c59b71a2f9
Opcode Fuzzy Hash: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
Instruction Fuzzy Hash: 5EC1387671628987EB66CF19E044B9EB791F7987C4F44C125EB4A43B84DB38EA09DB00

Function 000000018001FED8 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

0, xrefs: 00000001800200A7
ko-KR, xrefs: 000000018001FEEC

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$ko-KR
API String ID: 3215553584-2196303776
Opcode ID: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
Instruction ID: 454ebc8193fa5ca865f8f1965dd2a4e4b4682b0a5584ee5ea9980d899769f2f6
Opcode Fuzzy Hash: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
Instruction Fuzzy Hash: 3A71D33521070D82FBFB9A1990807E963A1E74D7C4FA4D126BE49437ABCF35CA4B9705

Function 0000000180003220 Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

0, xrefs: 0000000180003282
p, xrefs: 00000001800032F3

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID: 0$p
API String ID: 0-2059906072
Opcode ID: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
Instruction ID: 3ee67f828506e40d833cc10e170725f94807106ad1cab914bfb00022e22d59fe
Opcode Fuzzy Hash: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
Instruction Fuzzy Hash: A731F075605E9D81EB55DF56E894BD62321F388BD8F42A212ED4E0BB24EE3CC15AC700

Function 0000000180024EB0 Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180024EF9

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
Instruction ID: 1f61cd1c6d9a0cc47e5c3170d1c15f4e9de5b8ae94a737795fa3a990e1df4aaf
Opcode Fuzzy Hash: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
Instruction Fuzzy Hash: 0BA1E67231069881EBA3DB66A8047DAA3A0F78DBD4F549526FE9D07BC4DF78C64D8304

Function 000000018002C080 Relevance: 1.7, APIs: 1, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000018002C2CF

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
Instruction ID: 0593f73a9b31075b8e6bf2cb9e383320a294c5aeb291d1da762f6cdddc12ea76
Opcode Fuzzy Hash: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
Instruction Fuzzy Hash: 10B12B73600B88CBEB56CF29C88679C77A0F349B88F19C916EB59877A8CB35C955C701

Function 0000000180010F18 Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

l section in CAtlBaseModule, xrefs: 0000000180010FB7

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: ExceptionThrow
String ID: l section in CAtlBaseModule
API String ID: 432778473-2709337986
Opcode ID: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
Instruction ID: 3133a5dfd5f79aac6ce2c53f471fbcfe22b2aa6c2a7d5a5a984ae032cb248d46
Opcode Fuzzy Hash: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
Instruction Fuzzy Hash: 23027C36600E8886EB96DF25E8443DD73A1FB8DBD5F448526EA4E43BA4DF38C648C700

Function 00000001800180EE Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

__restrict, xrefs: 00000001800183C3

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID: __restrict
API String ID: 0-803856930
Opcode ID: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
Instruction ID: 2a1f3f8c5416bf1435224dd1e95b651f0a407b08188742a7ac323c2b5a68232f
Opcode Fuzzy Hash: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
Instruction Fuzzy Hash: DAF15936601F4886EB928F65D8543DC73A5EB8DBC8F548526FE0E47BA4DE78CB498340

Function 000000018001FC0C Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

0, xrefs: 000000018001FDDB

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
Instruction ID: 71f2418fc044250fc616a08c0bb954c8cfb89a1255eab9d4a98bc77a135e3a3b
Opcode Fuzzy Hash: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
Instruction Fuzzy Hash: 5871E235210A0D82FBFB9A29A0407F92392E7487C4F94D016BE46577EACF35CA4B9745

Function 0000000180002C8A Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

201ef99a-7fa0-444c-9399-19ba84f12a1a, xrefs: 0000000180002DAE

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID: 201ef99a-7fa0-444c-9399-19ba84f12a1a
API String ID: 0-3963691810
Opcode ID: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
Instruction ID: f859e3b1c76c282179c02603d62779a177e542a7d14e57d8a75f66858979eba8
Opcode Fuzzy Hash: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
Instruction Fuzzy Hash: A54153B1715B9D46EF89CB78D9653A62322FB8C7ACF40A516C90E47765DE38C209C300

Function 0000000180002526 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

ncalrpc, xrefs: 00000001800025DE

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID: ncalrpc
API String ID: 0-2983622238
Opcode ID: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
Instruction ID: 72ca54434e2e545ad87ad6f85711ca4f80c48705b1af1cf0b8a8e1738ac29a0d
Opcode Fuzzy Hash: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
Instruction Fuzzy Hash: 99312FB1721A6952EF49CF78E8687966762F79C794F91E522CE0E4B624DE3CC209C700

Function 0000000180014848 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
Instruction ID: 6d80879f2b6ca484a565809d41c0eb2dabc8ae21e66747f9efe079bfb1bd8c10
Opcode Fuzzy Hash: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
Instruction Fuzzy Hash: DA22D177310AA882EB46DB65C0547AC33B6FB48B84F028116FB599B7B1DF38D668C354

Function 000000018000DEE8 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
Instruction ID: 946e0dd2bba7b3100fd246393857d7d015b19ff97fe3a12f1d34a5a40530aed8
Opcode Fuzzy Hash: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
Instruction Fuzzy Hash: E4E181722046C986EBB2CB15E8943E977A1F78E7D4F84C121EA8A936D5DF78C64DC700

Function 0000000180029E8C Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
Instruction ID: c02e86e1f92cc5576d6cd232989999bceb531278b49536794b781076c4770d9c
Opcode Fuzzy Hash: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
Instruction Fuzzy Hash: BFE1D032708A848AE793CF68E5803DD77B1F74A7D8F548116EA4E57B99DE38C25AC700

Function 00000001800151E8 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
Instruction ID: 207e761d23252ea67ff1337872d1fa257f2b4668b6d9f4a23401ae9418e5b291
Opcode Fuzzy Hash: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
Instruction Fuzzy Hash: AFB1AB72A10B8886E352CF39D8457DC37A4F389B88F519216EE4D17B66DF35D689CB00

Function 00000001800069E0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86f20f7f5deea267c01afef8e7a4c05c31875faa151d310fea3b18ea46ae3c1
Instruction ID: 30b487c4dbfd5edb157edb9dd0446cf9089909246d75a709a71c41256c183c41
Opcode Fuzzy Hash: a86f20f7f5deea267c01afef8e7a4c05c31875faa151d310fea3b18ea46ae3c1
Instruction Fuzzy Hash: 4F410672B10A5886EB14CF64F815B9AB3A8F788794F505025DF8E47B68EF3CC156C700

Function 000000018000469C Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
Instruction ID: 6a73b4ca67aa358b5cca9cf8f50e7addbf38a80432c4fb2377473208703d20e7
Opcode Fuzzy Hash: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
Instruction Fuzzy Hash: 645126E9654B9982EF94DBA9F8693D62322FB497D8F80F112CE1E57724DD38D209C304

Function 00000001800096E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
Instruction ID: b6fa69fb7e3d6089a58b1dc0a55349c666dd73e1d328c0310e1d9ae523244059
Opcode Fuzzy Hash: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
Instruction Fuzzy Hash: A351CF32715F8896EB64CB65F94478A73A5F7887C4F54412AEA8E83B28EF3CD119C700

Function 0000000180008EC0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
Instruction ID: 9937fe3f73516922539d469a7d9b5dbd200fa43091dfd9594953e81ca0841af9
Opcode Fuzzy Hash: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
Instruction Fuzzy Hash: 7F51C2B5760E9982EB64CF65E8687D66321FB89BD4F44E126DE0E57B24DE3CC11AC300

Function 0000000180021F44 Relevance: .1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
Instruction ID: 211af31c44281ca6c3f3932d9a28d26ed70725301ca9e5a4bb4aa04c7d8998f6
Opcode Fuzzy Hash: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
Instruction Fuzzy Hash: 25419232310A5886EB85CF6AE954399A391E34CFD4F49D427EE4D97B58DE3CC649C300

Function 000000018000B1AC Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68527aba035480757e2393879a0d4de352a47f6bf703ed5fa56455fc597868c2
Instruction ID: 9b73b6c5183f860324fa61cee2baeb0ca0f8f8b507aed4a99a4e0eda6c344d24
Opcode Fuzzy Hash: 68527aba035480757e2393879a0d4de352a47f6bf703ed5fa56455fc597868c2
Instruction Fuzzy Hash: 984103B3714E4995EB25CF61E86478AB3A5F3887D8F44E126EE4D07A58DF38C246C300

Function 000000018001AA6C Relevance: .1, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
Instruction ID: 048e6db2ecfd184872977d7eb727c5e493510e05d032e6f18c4ab6865a9947bf
Opcode Fuzzy Hash: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
Instruction Fuzzy Hash: B341B37261C6888AF7EB8F15B4847967B91E34E3D0F11C429F94A87691DF79C6888F00

Function 0000000180006AB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
Instruction ID: ea9816badbe891c07a2aded6d1ec92d5857af46983f2473552b7590bc608b90a
Opcode Fuzzy Hash: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
Instruction Fuzzy Hash: 24419D76B20A8886EB14CB65F45479AB365F38CBC4F40912ADE4E53B68DE3CC216C740

Function 000000018000C2D0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
Instruction ID: ff810da637aa1fd401c95da2c6d69315e604f84d2d111450c1a2a7c20e68e2a5
Opcode Fuzzy Hash: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
Instruction Fuzzy Hash: B941FFB2318F89D6DB54CFA5E4A579A7B61F388788F84901ADE4E47A14DF38C12AC340

Function 000000018000C6F0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
Instruction ID: 1f6bebfb10a220892d2831274fb9d9e41c253fa787b11ea253d3ff134c5c468f
Opcode Fuzzy Hash: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
Instruction Fuzzy Hash: FF419FB2214F88D2EB54CF55E88478AB7A6F3447C4F94D126EE8D5BA18CF78C15AC740

Function 000000018000BEB0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
Instruction ID: d558cfae5a731fffe16df58c07b62597b32ae423ecf54f032ed4b289fbb168ab
Opcode Fuzzy Hash: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
Instruction Fuzzy Hash: 4041D3B2324E4DD2DF48CB15E454B9A7365F748BC8F658216DA4E87768EF39C21AC700

Function 000000018000B620 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
Instruction ID: c4b80034388e89da8ffe7b427c8155ba048d36e5b74cf413b7ce4096cc0294b9
Opcode Fuzzy Hash: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
Instruction Fuzzy Hash: AC4126B2728E48A2DB14CF25E69878E7762F3443C4F45A206EE4E57328DF39C225C700

Function 000000018000C370 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
Instruction ID: 30f2c0aa2bc627d33595a3753288768bcaf23473739ac437f1ff85fbf168e941
Opcode Fuzzy Hash: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
Instruction Fuzzy Hash: FA31CFB2764E8987EB94CFA4E4657EA3B21F384398F84911BDE4F47A14DE68C01AC341

Function 000000018000435B Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
Instruction ID: 42c4d16a0e0d136c5a94160c46d85d5892129638e54f14ca30ac4ff8e229c4e5
Opcode Fuzzy Hash: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
Instruction Fuzzy Hash: 65310DF9654B9892EB55DBB8F8697C62322F74D7D8F81B502CE0E27624DE38D209C740

Function 000000018000947B Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
Instruction ID: 91db3ca7ca736f51b2b9f4a1fdda40ff6b442f2c49d3b76bc6f7bd54feb42801
Opcode Fuzzy Hash: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
Instruction Fuzzy Hash: 2531FBB5314E8481EF99CF66ECA93A66362FB88BE4F54E1168E0F57B64CE3DC1458304

Function 0000000180004153 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
Instruction ID: b9540b73c02fa2fd8fd9ed4b04a7558bae6bb2522907684b3f8178f982c6447f
Opcode Fuzzy Hash: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
Instruction Fuzzy Hash: 3F215EF53159A882EB95CF65E8787972322FB49BD8F81E112CD1E57764DE38C209C304

Function 000000018000B280 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
Instruction ID: 34ebe62695f2a6a6ea2397927167a92a4784dc70ec7df40509b9419055f8788e
Opcode Fuzzy Hash: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
Instruction Fuzzy Hash: 7D31C1F6715A499AEB14CF60E46478AB3A5F3447C8F48E226EA4E47A1CDF78C219C304

Function 0000000180004CB0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
Instruction ID: ea228047f8abccb8f34d8cb69d0855da280cee6fe6b78123f25de321abaee775
Opcode Fuzzy Hash: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
Instruction Fuzzy Hash: BD2101B2724E8885EB95CF62E828B9A7361F38CBD4F419126DE4E47B54CE3CC10AC700

Function 0000000180006F70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
Instruction ID: 6d7058e35041f85eefca8006119c3596d2fa62747ef7dd2be534be946fff4e46
Opcode Fuzzy Hash: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
Instruction Fuzzy Hash: BB21D5B2764E5892DB59CFB6E864BC63761E759BD4F40A116EE0D57324EE38CA06C300

Function 000000018000B6C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
Instruction ID: 64e956f36281cdf23b4cab459502cafc9c3b83219f603c2a53f066b43bdf7739
Opcode Fuzzy Hash: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
Instruction Fuzzy Hash: 9931A2B2724A49A6DB15CF64D25878E7B62F3443D8F49A206DB0E57628EF39C16AC700

Function 0000000180003833 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
Instruction ID: 8007ea01a93bf6de8c95f9a16faa5e8d6c04bd6e38d315922757046993a1328b
Opcode Fuzzy Hash: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
Instruction Fuzzy Hash: 5F2148F5761EA982EB89CFB5E86979A2321E749BD8F41A112CD0E17724DE2CD6098300

Function 0000000180002666 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
Instruction ID: baf3eb62263214422a0973d769ae56c08939dd68f110effc1bb9cb03c9f86de4
Opcode Fuzzy Hash: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
Instruction Fuzzy Hash: CE2159F5720AA892EB85CFB4E468BD627A1F74C3A4F81A413DE0D47620EE39C209C300

Function 00000001800044C1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d83384389e1bc3f5c40116a0a1417798e316c1697b6e029db620e488cbd2b1f
Instruction ID: 7d1135aa24797edbf35de8feb47ffd13e3235087d5b84f893e072cfd3e31e24b
Opcode Fuzzy Hash: 5d83384389e1bc3f5c40116a0a1417798e316c1697b6e029db620e488cbd2b1f
Instruction Fuzzy Hash: D1118EA271498C46FB96DBB4F969BD76322EB4C3A9F80A012DD0D07A55DD3CC24AC700

Function 0000000180002A19 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
Instruction ID: 95480194bb9f6c9ad9d964584a4fad66eb43ce3f3ee230db89eb3e49904c33dd
Opcode Fuzzy Hash: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
Instruction Fuzzy Hash: 56210BF2711A5D92EB49DF75D868BD667A2E78CBD4F41E512CD0E5B624DE3CC2098300

Function 0000000180003717 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
Instruction ID: 02ba138fbc53fc0a7e206b6c0fccc1f4cb11f22df8a79a790e142c2087e4c986
Opcode Fuzzy Hash: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
Instruction Fuzzy Hash: 48213BB6761A5DC5EF49DF65E868B8A6721F788BD8F41A122CD0E47728DE3CD209C700

Function 000000018000290C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
Instruction ID: 4519c20df033b0754d584584f46a47e9c3f61284702b1b178af72c485ed47193
Opcode Fuzzy Hash: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
Instruction Fuzzy Hash: E02160F5714F8482EB45CBB5E8593CA63B1FB897A4F40A506DA4E57A24EE3CD20AC700

Function 0000000180002170 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
Instruction ID: bc53908923a101081ac78a2ff91d1596a8a62396a49556bd27b6b69a29ae519e
Opcode Fuzzy Hash: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
Instruction Fuzzy Hash: 6511E3E262096C82FB59DFA6A869F862332E349BD8F01E123DD5E5B714DD39C10BC300

Function 000000018000360B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
Instruction ID: 8fbfe2caa4e00eb4ae2a73ae29cd16ebba4a4082f14f5113274d96e794981e6d
Opcode Fuzzy Hash: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
Instruction Fuzzy Hash: 0721A4B2709A9882EB55CF64E4687977761FB8C798F41A116DE4E47A14EF3DC109C700

Function 00000001800045A9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
Instruction ID: 9e59c1c7de84271de07ddad5238888e61d5fae15b8e3d2a62c0818bf1ca1a5d9
Opcode Fuzzy Hash: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
Instruction Fuzzy Hash: 2F1151B5714E9882EB54CB74E46839A6361F7887B8F80A316C92E576E4DF39C10AC744

Function 0000000180002777 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
Instruction ID: 453c13d840d8ab8480c25eabad8a5a4e6cf22c2320a7064174f112572a8564ab
Opcode Fuzzy Hash: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
Instruction Fuzzy Hash: 8E113CE171196846FF89CF65D9697665393EB8C7E4F81E426CE0E8B768ED3CC1098304

Function 000000018000225E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
Instruction ID: dcb26d1462b17352493136ca1a284502f5bdb4a1f8be4333a819d013a470b478
Opcode Fuzzy Hash: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
Instruction Fuzzy Hash: 3311C2B6624A9E42E709DFF4B424FCA3771E389750F00B517DE4A53510DE38C21AC300

Function 000000018000284D Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
Instruction ID: 1bcc190078e11d5e3502c0fb8cfdf52a8957de65a2b1b8071e9e04ba3849ecfd
Opcode Fuzzy Hash: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
Instruction Fuzzy Hash: 9D1100F5721E9841FB49CB75D4683D66362E788794F80A917CA0F57664DD39C2498340

Function 0000000180003CF2 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
Instruction ID: 81b86e7094c320bcc5e7f926c263843823ab5f04b050e6f3beb40bfc522f2c83
Opcode Fuzzy Hash: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
Instruction Fuzzy Hash: 4F114FB5614E9882EB54CB78F4687DA6321F78C798F80B113CD0E57625EE39C21AC340

Function 0000000180003530 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
Instruction ID: 58ab01e0f729e006e025e3cd5db47f1a357a7dbbf023e6ea43b04656e7f2b6d0
Opcode Fuzzy Hash: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
Instruction Fuzzy Hash: 6A113DB1715E6881EB59CF65E9587866362F74C798F82E122CC4E47728EE39C248C700

Function 0000000180002A06 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
Instruction ID: 246bc5305b8913a4d01db227893256f8bf5d597bde7be6eae501e461eb4fa0bc
Opcode Fuzzy Hash: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
Instruction Fuzzy Hash: A4113CB2711E5C91EB49CF25E868B9A67A1F78CB94F41E526DE0E47768DE3CC209C300

Function 0000000180003464 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
Instruction ID: 91f1bf17694832eb7885352137df2ae2a0c82d5e88c9f87b3bad460dc89f63f9
Opcode Fuzzy Hash: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
Instruction Fuzzy Hash: 451169F531286D82EB89CF65E929B865322E7487D8F82F112CC0E4B718ED39D109C700

Function 0000000180005E58 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
Instruction ID: 39990edd012c80a11a8c246ade81e0b00b1fb03419df7482220b1a2638345046
Opcode Fuzzy Hash: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
Instruction Fuzzy Hash: 7E11A5F1330A8886FB95CBB5E8683DA6361E78D7D4F84B012CE0E47765CE28C20AC304

Function 0000000180003880 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
Instruction ID: 15f0b12e67b83b815c9156cfa897ef3110cdd404d207d48cd89176b21f2d8fa0
Opcode Fuzzy Hash: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
Instruction Fuzzy Hash: 06015EB5751E6D82EB89DF75E4697DA2320EB48B94F82B512CC0E57320ED3CDA0AC300

Function 0000000180002E24 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
Instruction ID: 22dcafcaff4b78d83aaf35a6f31f5da21172cbe544e4bfae6083fdcba81ddec3
Opcode Fuzzy Hash: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
Instruction Fuzzy Hash: 080152F5611E9D82EB45CBB9E8A83D76325E78D7E8F40E1128E0E67625DE38C2098300

Function 00000001800033B8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
Instruction ID: c05fe9916e29f3615726ac8ab40efd06a7f832fe150a5180127c36e0d361f74a
Opcode Fuzzy Hash: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
Instruction Fuzzy Hash: 130125F1652E5E82FB59CBA4E569BC66362EB487D8F40F1179D0D07618EE3CD219C304

Function 00000001801192F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3ddfbc868f6065ffe767d851de8c921da867ab70b60f36a16818b6ae2783e2
Instruction ID: 25fa32b9592b03976deda56ce68f7006c0e09b50e392c9a4b74df2dc8d512546
Opcode Fuzzy Hash: 7d3ddfbc868f6065ffe767d851de8c921da867ab70b60f36a16818b6ae2783e2
Instruction Fuzzy Hash: 7CF0127785EBC45FD39B4E3418692D82F60E3A6F10F999097D2B1872C3DA0D490A8755

Function 000000018002BBA8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
Instruction ID: c5723c18dcfd40d5e26eb64c6513ed8ad7c8279d3e69258c72aec0d621b19a73
Opcode Fuzzy Hash: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
Instruction Fuzzy Hash: 15F06871714A548AEBD5CF2CA44276A77D0F30C3C4FA0C519E68983B04D63D8165CF04

Function 0000000180119010 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5f7c9d0704411a4b56306bd58b46b9c1021f1cb262293bba8d931b5fd5afcd
Instruction ID: 1bf6acf3fe077d02731fcfa794fd65e31f8237ceadce551fdfbbfb6cfb4d3e63
Opcode Fuzzy Hash: 4d5f7c9d0704411a4b56306bd58b46b9c1021f1cb262293bba8d931b5fd5afcd
Instruction Fuzzy Hash: D2E04F57D0AEC846F3DB001849193C90B899B1A7B4F99D36E5E74472D35F0A8A056345

Function 000000018001A7E8 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 000000018001A7F7

Part of subcall function 0000000180019CF8: __vcrt_initialize.LIBVCRUNTIME ref: 0000000180019D1A

__scrt_release_startup_lock.LIBCMT ref: 000000018001A87A
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 000000018001A890
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 000000018001A8BC
__scrt_get_show_window_mode.LIBCMT ref: 000000018001A8CD
__scrt_is_managed_app.LIBCMT ref: 000000018001A8F0
__scrt_uninitialize_crt.LIBCMT ref: 000000018001A907
__scrt_fastfail.LIBCMT ref: 000000018001A939
__scrt_fastfail.LIBCMT ref: 000000018001A944
__security_init_cookie.LIBCMT ref: 000000018001A960

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
String ID:
API String ID: 1326835672-0
Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350

Function 0000000180019F69 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON

Download Yara Rule

APIs

__scrt_initialize_onexit_tables.LIBCMT ref: 000000018001A062
__scrt_fastfail.LIBCMT ref: 000000018001A0B1
__scrt_fastfail.LIBCMT ref: 000000018001A0BC
__scrt_fastfail.LIBCMT ref: 000000018001A0C7

Strings

`local vftable', xrefs: 0000000180019FE0
onstructor closure', xrefs: 0000000180019FF4
`udt returning', xrefs: 0000000180019FCC
`eh vector vbase constructor iterator', xrefs: 0000000180019F9C

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
API String ID: 2273495996-2419032777
Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304

Function 000000018002B9A8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018002B9D0
_set_statfp.LIBCMT ref: 000000018002B9EB
_set_statfp.LIBCMT ref: 000000018002BA07
_set_statfp.LIBCMT ref: 000000018002BA43

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302

Function 000000018001F660 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018001F698
_invalid_parameter_noinfo.LIBCMT ref: 000000018001F8D2

Strings

*, xrefs: 000000018001F7A5
ko-KR, xrefs: 000000018001F6B7

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *$ko-KR
API String ID: 3215553584-1095117856
Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750

Function 0000000180017B98 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

__swift_2, xrefs: 0000000180017D34
__swift_1, xrefs: 0000000180017D10

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID:
String ID: __swift_1$__swift_2
API String ID: 0-2914474356
Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340

Function 0000000180023FE4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180024027

Strings

gfff, xrefs: 0000000180024149
o-l1-2-1, xrefs: 00000001800240CC

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfff$o-l1-2-1
API String ID: 3215553584-1082851355
Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700

Function 0000000180024430 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018002459E

Strings

api-ms-win-core-sysinfo-l1-2-1, xrefs: 00000001800244D1
synch-l1-2-0, xrefs: 00000001800244A4

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
API String ID: 3215553584-688204690
Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340

Function 000000018001D646 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001C478: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 000000018001C47C

__DestructExceptionObject.LIBVCRUNTIME ref: 000000018001D66E
__DestructExceptionObject.LIBVCRUNTIME ref: 000000018001D6F8

Strings

csm, xrefs: 000000018001D6CB

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: DestructExceptionObject$__vcrt_getptd_noexit
String ID: csm
API String ID: 3780691363-1018135373
Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01

Function 000000018001A972 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000000018001A99B

Strings

nt delete closure', xrefs: 000000018001A9A0
`vector destructor iterator', xrefs: 000000018001A980

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: __std_exception_copy
String ID: `vector destructor iterator'$nt delete closure'
API String ID: 592178966-1611991873
Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301

Function 000000018001AA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 000000018001AA55
_CxxThrowException.LIBVCRUNTIME ref: 000000018001AA66

Strings

File, xrefs: 000000018001AA5A

Memory Dump Source

Source File: 00000000.00000002.2037676551.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.2037654207.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038158438.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038357920.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2038486185.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_png131.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID: File
API String ID: 932687459-749574446
Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00

Analysis Process: svchost.exePID: 1068, Parent PID: 6604COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	49.9%
Total number of Nodes:	379
Total number of Limit Nodes:	37

Executed Functions

Function 00000254A3910680 Relevance: 130.0, APIs: 73, Strings: 1, Instructions: 492
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(?,?,?,?,?,?,00100000,00000254A3901B37), ref: 00000254A3910697
GetCurrentProcess.KERNEL32 ref: 00000254A39106C8
OpenProcessToken.ADVAPI32 ref: 00000254A39106D9
LookupPrivilegeValueW.ADVAPI32 ref: 00000254A3910701
AdjustTokenPrivileges.KERNELBASE ref: 00000254A3910721
GetLastError.KERNEL32 ref: 00000254A3910727
CloseHandle.KERNEL32 ref: 00000254A391073B
VirtualAlloc.KERNEL32 ref: 00000254A3910752
InitializeCriticalSection.KERNEL32 ref: 00000254A3910764
IsBadReadPtr.KERNEL32 ref: 00000254A391077D
EnterCriticalSection.KERNEL32 ref: 00000254A3910790
VirtualAlloc.KERNEL32 ref: 00000254A39107A7
LeaveCriticalSection.KERNEL32 ref: 00000254A39107D6
IsBadReadPtr.KERNEL32 ref: 00000254A39107E8
EnterCriticalSection.KERNEL32 ref: 00000254A39107FB
VirtualAlloc.KERNEL32 ref: 00000254A3910812
LeaveCriticalSection.KERNEL32 ref: 00000254A3910841
IsBadReadPtr.KERNEL32 ref: 00000254A3910853
EnterCriticalSection.KERNEL32 ref: 00000254A3910866
VirtualAlloc.KERNEL32 ref: 00000254A391087D
LeaveCriticalSection.KERNEL32 ref: 00000254A39108AC
IsBadReadPtr.KERNEL32 ref: 00000254A39108BE
EnterCriticalSection.KERNEL32 ref: 00000254A39108D1
VirtualAlloc.KERNEL32 ref: 00000254A39108E8
LeaveCriticalSection.KERNEL32 ref: 00000254A3910917
IsBadReadPtr.KERNEL32 ref: 00000254A3910929
EnterCriticalSection.KERNEL32 ref: 00000254A391093C
VirtualAlloc.KERNEL32 ref: 00000254A3910953
LeaveCriticalSection.KERNEL32 ref: 00000254A3910982
IsBadReadPtr.KERNEL32 ref: 00000254A3910994
EnterCriticalSection.KERNEL32 ref: 00000254A39109A7
VirtualAlloc.KERNEL32 ref: 00000254A39109BE
LeaveCriticalSection.KERNEL32 ref: 00000254A39109ED
IsBadReadPtr.KERNEL32 ref: 00000254A39109FF
EnterCriticalSection.KERNEL32 ref: 00000254A3910A12
VirtualAlloc.KERNEL32 ref: 00000254A3910A29
LeaveCriticalSection.KERNEL32 ref: 00000254A3910A58
IsBadReadPtr.KERNEL32 ref: 00000254A3910A6A
EnterCriticalSection.KERNEL32 ref: 00000254A3910A7D
VirtualAlloc.KERNEL32 ref: 00000254A3910A94
LeaveCriticalSection.KERNEL32 ref: 00000254A3910AC3
IsBadReadPtr.KERNEL32 ref: 00000254A3910AD5
EnterCriticalSection.KERNEL32 ref: 00000254A3910AEB
LeaveCriticalSection.KERNEL32 ref: 00000254A3910B16
IsBadReadPtr.KERNEL32 ref: 00000254A3910B2E
EnterCriticalSection.KERNEL32 ref: 00000254A3910B44
LeaveCriticalSection.KERNEL32 ref: 00000254A3910B68
IsBadReadPtr.KERNEL32 ref: 00000254A3910B81
EnterCriticalSection.KERNEL32 ref: 00000254A3910B97
LeaveCriticalSection.KERNEL32 ref: 00000254A3910BBB
IsBadReadPtr.KERNEL32 ref: 00000254A3910BD4
EnterCriticalSection.KERNEL32 ref: 00000254A3910BEA
LeaveCriticalSection.KERNEL32 ref: 00000254A3910C16
IsBadReadPtr.KERNEL32 ref: 00000254A3910C2F
EnterCriticalSection.KERNEL32 ref: 00000254A3910C45
LeaveCriticalSection.KERNEL32 ref: 00000254A3910C69
IsBadReadPtr.KERNEL32 ref: 00000254A3910C82
EnterCriticalSection.KERNEL32 ref: 00000254A3910C98
LeaveCriticalSection.KERNEL32 ref: 00000254A3910CBC
IsBadReadPtr.KERNEL32 ref: 00000254A3910CD5
EnterCriticalSection.KERNEL32 ref: 00000254A3910CEB
LeaveCriticalSection.KERNEL32 ref: 00000254A3910D16
IsBadReadPtr.KERNEL32 ref: 00000254A3910D2F
EnterCriticalSection.KERNEL32 ref: 00000254A3910D45
LeaveCriticalSection.KERNEL32 ref: 00000254A3910D69
LeaveCriticalSection.KERNEL32 ref: 00000254A3910DA4
LeaveCriticalSection.KERNEL32 ref: 00000254A3910DB6
LeaveCriticalSection.KERNEL32 ref: 00000254A3910DC8
LeaveCriticalSection.KERNEL32 ref: 00000254A3910DDA
LeaveCriticalSection.KERNEL32 ref: 00000254A3910DEC
LeaveCriticalSection.KERNEL32 ref: 00000254A3910DFE
LeaveCriticalSection.KERNEL32 ref: 00000254A3910E10
LeaveCriticalSection.KERNEL32 ref: 00000254A3910E22

Strings

SeDebugPrivilege, xrefs: 00000254A39106F0

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$Leave$EnterRead$AllocVirtual$ProcessToken$AdjustCloseCurrentErrorHandleInitializeLastLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3221255601-2896544425
Opcode ID: 79b32153c8a47bce9488e86581e1df08a4a5845b2d426890eb6905a67430a941
Instruction ID: 02cd482c491350f33586673e2ceb3a9e66a54812c66c3b2f6157f44392bf383b
Opcode Fuzzy Hash: 79b32153c8a47bce9488e86581e1df08a4a5845b2d426890eb6905a67430a941
Instruction Fuzzy Hash: 223238353A1F4083EB95AF11EA28329E769F748BCEF444415CA5A13B94EF39D9E8C305

Function 00000254A3902140 Relevance: 107.0, APIs: 49, Strings: 12, Instructions: 295
memorystringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000254A391B990: VirtualAlloc.KERNEL32 ref: 00000254A391B9B9
Part of subcall function 00000254A391B990: memcpy.NTDLL ref: 00000254A391B9DD
Part of subcall function 00000254A391B990: VirtualAlloc.KERNEL32 ref: 00000254A391BA08
Part of subcall function 00000254A391B990: memcpy.NTDLL ref: 00000254A391BA3D
Part of subcall function 00000254A391B990: memcpy.NTDLL ref: 00000254A391BA73
Part of subcall function 00000254A391B990: memset.NTDLL ref: 00000254A391BB0C
Part of subcall function 00000254A391B990: ExpandEnvironmentStringsW.KERNEL32 ref: 00000254A391BB23
Part of subcall function 00000254A391B990: memset.NTDLL ref: 00000254A391BB38

Part of subcall function 00000254A391D340: GetModuleHandleW.KERNEL32 ref: 00000254A391D35F
Part of subcall function 00000254A391D340: GetCurrentProcess.KERNEL32 ref: 00000254A391D379
Part of subcall function 00000254A391D340: K32GetModuleInformation.KERNEL32 ref: 00000254A391D390
Part of subcall function 00000254A391D340: memset.NTDLL ref: 00000254A391D3A8
Part of subcall function 00000254A391D340: GetSystemDirectoryW.KERNEL32 ref: 00000254A391D3B7
Part of subcall function 00000254A391D340: lstrcatW.KERNEL32 ref: 00000254A391D3D9
Part of subcall function 00000254A391D340: CreateFileW.KERNEL32 ref: 00000254A391D406
Part of subcall function 00000254A391D340: CreateFileMappingW.KERNELBASE ref: 00000254A391D42D
Part of subcall function 00000254A391D340: MapViewOfFile.KERNEL32 ref: 00000254A391D457
Part of subcall function 00000254A391D340: VirtualProtect.KERNEL32 ref: 00000254A391D4F2
Part of subcall function 00000254A391D340: memcpy.NTDLL ref: 00000254A391D507

WSAStartup.WS2_32 ref: 00000254A3902167

Part of subcall function 00000254A391D7D0: CoInitializeEx.OLE32 ref: 00000254A391D820
Part of subcall function 00000254A391D7D0: CoCreateInstance.COMBASE ref: 00000254A391D845
Part of subcall function 00000254A391D7D0: CoUninitialize.OLE32 ref: 00000254A391D86E

GetCommandLineW.KERNEL32 ref: 00000254A39021A4
CommandLineToArgvW.SHELL32 ref: 00000254A39021B4

Part of subcall function 00000254A390AFC0: VirtualAlloc.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390AFD7
Part of subcall function 00000254A390AFC0: CreateEventW.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B061
Part of subcall function 00000254A390AFC0: VirtualAlloc.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B086
Part of subcall function 00000254A390AFC0: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B098
Part of subcall function 00000254A390AFC0: VirtualAlloc.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B0BD
Part of subcall function 00000254A390AFC0: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B0CF
Part of subcall function 00000254A390AFC0: VirtualAlloc.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B0F4
Part of subcall function 00000254A390AFC0: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B106
Part of subcall function 00000254A390AFC0: VirtualAlloc.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B12B
Part of subcall function 00000254A390AFC0: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B13D

VirtualAlloc.KERNEL32 ref: 00000254A39021D5
InitializeCriticalSection.KERNEL32 ref: 00000254A39021E7
VirtualAlloc.KERNEL32 ref: 00000254A390220C
InitializeCriticalSection.KERNEL32 ref: 00000254A390221E
memset.NTDLL ref: 00000254A390223F
GetCurrentProcessId.KERNEL32 ref: 00000254A3902244
lstrcmpiW.KERNEL32 ref: 00000254A3902264
lstrcmpiW.KERNEL32 ref: 00000254A390227F
ExitThread.KERNEL32 ref: 00000254A3902290

Strings

perfmon.exe, xrefs: 00000254A3902297
svchost.exe, xrefs: 00000254A39022BE
Schedule, xrefs: 00000254A39022D8, 00000254A3902642
C:\Program Files\Windows Mail, xrefs: 00000254A3902416, 00000254A39024B7, 00000254A39024FD
Microsoft Edge Update Task MachineCore, xrefs: 00000254A3902586
Inject Test, xrefs: 00000254A3902256
/Processid:{F8284233-48F4-4680-ADDD-F8284233}, xrefs: 00000254A39025CB, 00000254A39025F1
47.238.215.73, xrefs: 00000254A39024CA, 00000254A39024D6
MicrosoftEdgeUpdate, xrefs: 00000254A3902532, 00000254A3902567
taskmgr.exe, xrefs: 00000254A3902273
%s\%s, xrefs: 00000254A3902504
arphaCrashReport64.exe, xrefs: 00000254A39022F4, 00000254A39024F6

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$Initialize$CriticalSection$Creatememcpymemset$File$CommandCurrentLineModuleProcesslstrcmpi$ArgvDirectoryEnvironmentEventExitExpandHandleInformationInstanceMappingProtectStartupStringsSystemThreadUninitializeViewlstrcat
String ID: %s\%s$/Processid:{F8284233-48F4-4680-ADDD-F8284233}$47.238.215.73$C:\Program Files\Windows Mail$Inject Test$Microsoft Edge Update Task MachineCore$MicrosoftEdgeUpdate$Schedule$arphaCrashReport64.exe$perfmon.exe$svchost.exe$taskmgr.exe
API String ID: 3540647475-1196762899
Opcode ID: e4bfe4048ee3d54e59998916ce248c807bf3acb0d7d6f17c8420b9b790105c66
Instruction ID: c114829153886ca7b8beacf5bb8750a4421c75384dadda8457c7370ab0b934aa
Opcode Fuzzy Hash: e4bfe4048ee3d54e59998916ce248c807bf3acb0d7d6f17c8420b9b790105c66
Instruction Fuzzy Hash: BAE181213B5F4183FBA4BF21EC68399A369F789B4EF404025D94A466A5FF38C5C9C309

Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317
filememorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 000000018000103C
malloc.MSVCRT ref: 00000001800010C9
memcpy.NTDLL ref: 00000001800010EB
memcpy.NTDLL ref: 0000000180001100
memset.NTDLL ref: 00000001800011B4
wsprintfW.USER32 ref: 00000001800011D5
CreateFileW.KERNEL32 ref: 0000000180001203
GetLastError.KERNEL32 ref: 0000000180001212
WriteFile.KERNEL32 ref: 0000000180001233
GetLastError.KERNEL32 ref: 000000018000123D
CloseHandle.KERNEL32 ref: 0000000180001246
SleepEx.KERNEL32 ref: 0000000180001251
memset.NTDLL ref: 0000000180001266
wsprintfW.USER32 ref: 0000000180001287
CreateFileW.KERNEL32 ref: 00000001800012B5
GetLastError.KERNEL32 ref: 00000001800012C4
WriteFile.KERNEL32 ref: 00000001800012E5
GetLastError.KERNEL32 ref: 00000001800012EF
CloseHandle.KERNEL32 ref: 00000001800012F8
SleepEx.KERNEL32 ref: 0000000180001303
memset.NTDLL ref: 0000000180001318
wsprintfW.USER32 ref: 0000000180001339
CreateFileW.KERNEL32 ref: 0000000180001367
GetLastError.KERNEL32 ref: 0000000180001376
WriteFile.KERNEL32 ref: 0000000180001393
GetLastError.KERNEL32 ref: 000000018000139D
CloseHandle.KERNEL32 ref: 00000001800013A6
SleepEx.KERNEL32 ref: 00000001800013B1
VirtualAlloc.KERNEL32 ref: 00000001800013D4
memcpy.NTDLL ref: 00000001800013F0
CreateThread.KERNEL32 ref: 000000018000140C
VariantInit.OLEAUT32 ref: 0000000180001441
SysAllocString.OLEAUT32 ref: 00000001800014A3
GetLastError.KERNEL32 ref: 00000001800014BE
memset.NTDLL ref: 00000001800014D6
wsprintfW.USER32 ref: 00000001800014F4
memset.NTDLL ref: 000000018000152F
memcpy.NTDLL ref: 0000000180001544
CreateThread.KERNEL32 ref: 0000000180001562

Strings

%s\%s, xrefs: 00000001800011C7, 0000000180001279, 000000018000132B, 00000001800014E9
\Microsoft\Windows, xrefs: 000000018000149C

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
String ID: %s\%s$\Microsoft\Windows
API String ID: 1085075972-4137575348
Opcode ID: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
Instruction ID: ca852493329d7e8b29278f03f5207e3e8a0b6c409a20f5d7edd43a4be3d27a44
Opcode Fuzzy Hash: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
Instruction Fuzzy Hash: 4DF18A32610F8985F7A6CF24E8087DD33A0F78DBA8F449215EE9A17694EF38C249C700

Function 00000254A390F9E0 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 201
memoryinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32 ref: 00000254A390FA31
GetLastError.KERNEL32 ref: 00000254A390FA3F
VirtualAllocEx.KERNEL32 ref: 00000254A390FA6B
WriteProcessMemory.KERNEL32 ref: 00000254A390FA8F
GetLastError.KERNEL32 ref: 00000254A390FA99

Strings

h, xrefs: 00000254A390FB9B
@, xrefs: 00000254A390FABA

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: AllocErrorLastVirtual$MemoryProcessWrite
String ID: @$h
API String ID: 1382438346-1029331998
Opcode ID: 68fc5231bb649cffb2ef201a26c0452fc735f8ffc7358dd3c59d4300c21df8ec
Instruction ID: 3f2a99f5307d627853d68a3611689438957da400822f231951d1641279de5056
Opcode Fuzzy Hash: 68fc5231bb649cffb2ef201a26c0452fc735f8ffc7358dd3c59d4300c21df8ec
Instruction Fuzzy Hash: E581C422328F8087E790DB65A85875EEF54F79A78DF440119EEC643B49EB3CC689CB05

Function 0000000180001A10 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE ref: 0000000180001A3B
CLSIDFromString.OLE32 ref: 0000000180001CFA
IIDFromString.OLE32 ref: 0000000180001D0D
CoCreateInstance.COMBASE ref: 0000000180001D2C

Strings

:_:, xrefs: 0000000180001AF0
^:G:, xrefs: 0000000180001B44
:Y:, xrefs: 0000000180001C3F
\:^:, xrefs: 0000000180001C4D
Y::, xrefs: 0000000180001C46
\:[:, xrefs: 0000000180001B9B
X:^:, xrefs: 0000000180001AE8
Y:\:, xrefs: 0000000180001AD8
X:[:, xrefs: 0000000180001BAA
:, xrefs: 0000000180001CA0
A::, xrefs: 0000000180001A4F

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: FromString$CreateInitializeInstance
String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
API String ID: 511945936-2205580742
Opcode ID: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
Instruction ID: 28b9f900473ef5d70d4cda544e42fab565c9dc4f26e78512e927f69b0d8a042f
Opcode Fuzzy Hash: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
Instruction Fuzzy Hash: 0291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00

Function 0000000180001D60 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 227
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0000000180001DA5
SysAllocString.OLEAUT32 ref: 0000000180001DE4
SysAllocString.OLEAUT32 ref: 0000000180001DF0
IIDFromString.OLE32 ref: 0000000180001F31
SysAllocString.OLEAUT32 ref: 0000000180001F61
SysAllocString.OLEAUT32 ref: 0000000180001F71
VariantInit.OLEAUT32 ref: 0000000180001FEA
SysAllocString.OLEAUT32 ref: 0000000180001FF7

Strings

SYSTEM, xrefs: 0000000180001DD9
{4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}, xrefs: 0000000180001F26

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: String$Alloc$FromInitVariant
String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
API String ID: 929278495-107290059
Opcode ID: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
Instruction ID: 371f9a688604c33e3b5ae190077701ce0554801126743d20ac49bde758192535
Opcode Fuzzy Hash: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
Instruction Fuzzy Hash: E5B1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300

Function 00000254A391D140 Relevance: 15.1, APIs: 10, Instructions: 95
servicestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,00000254A390264E), ref: 00000254A391D165
EnumServicesStatusExW.ADVAPI32 ref: 00000254A391D1B1
malloc.MSVCRT ref: 00000254A391D1C6
memset.NTDLL ref: 00000254A391D1DC
EnumServicesStatusExW.ADVAPI32 ref: 00000254A391D21B
CloseServiceHandle.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,00000254A390264E), ref: 00000254A391D228
free.MSVCRT ref: 00000254A391D231
CloseServiceHandle.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,00000254A390264E), ref: 00000254A391D24D
lstrcmpiW.KERNEL32(?,?,?,?,?,00000000,00001000,00000000,?,00000254A390264E), ref: 00000254A391D26D
free.MSVCRT ref: 00000254A391D291

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CloseEnumHandleServiceServicesStatusfree$ManagerOpenlstrcmpimallocmemset
String ID:
API String ID: 2647132813-0
Opcode ID: c2b9930ff57626eae451ef52e78241fd2a7e99a3c5bb9cb5767dca943c792e03
Instruction ID: 2714b1bcedeebc62c320a8c86ebb3552c738d87c46648d88a9f02eb1c57d854a
Opcode Fuzzy Hash: c2b9930ff57626eae451ef52e78241fd2a7e99a3c5bb9cb5767dca943c792e03
Instruction Fuzzy Hash: 5C418232319F409BD7A09F25EC5465AF7A8FB88B5DF544424DA8E43B14EF38C989CB04

Function 00000254A391CA60 Relevance: 15.1, APIs: 10, Instructions: 65
memoryprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A391CA7B
GetProcessHeap.KERNEL32(?,?,00000000,00000254A3902300), ref: 00000254A391CAA2
HeapAlloc.KERNEL32(?,?,00000000,00000254A3902300), ref: 00000254A391CAB6
CloseHandle.KERNEL32(?,?,00000000,00000254A3902300), ref: 00000254A391CAC7

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Heap$AllocCloseCreateHandleProcessSnapshotToolhelp32
String ID:
API String ID: 1926892967-0
Opcode ID: 556f8c45a5b3be51068a5fed4b8b05554424f686ed4d881aa42d630a1535f563
Instruction ID: 9a59f92642e74d7a2c8f1d4baf17ea6756fe9912b7c15a1e6cdbde2e64905542
Opcode Fuzzy Hash: 556f8c45a5b3be51068a5fed4b8b05554424f686ed4d881aa42d630a1535f563
Instruction Fuzzy Hash: 2B2176213A4E4187EBD0AF22AC18319A7A4F74DFDEF485124DE5657754EE38C4C58B05

Function 00000254A391D340 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 129
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00000254A391D35F
GetCurrentProcess.KERNEL32 ref: 00000254A391D379
K32GetModuleInformation.KERNEL32 ref: 00000254A391D390
memset.NTDLL ref: 00000254A391D3A8
GetSystemDirectoryW.KERNEL32 ref: 00000254A391D3B7
lstrcatW.KERNEL32 ref: 00000254A391D3D9
CreateFileW.KERNEL32 ref: 00000254A391D406
CreateFileMappingW.KERNELBASE ref: 00000254A391D42D
MapViewOfFile.KERNEL32 ref: 00000254A391D457
VirtualProtect.KERNEL32 ref: 00000254A391D4F2
memcpy.NTDLL ref: 00000254A391D507
VirtualProtect.KERNEL32 ref: 00000254A391D525

Strings

ntdll.dll, xrefs: 00000254A391D34C
.text, xrefs: 00000254A391D497
\ntdll.dll, xrefs: 00000254A391D3C5

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: File$CreateModuleProtectVirtual$CurrentDirectoryHandleInformationMappingProcessSystemViewlstrcatmemcpymemset
String ID: .text$\ntdll.dll$ntdll.dll
API String ID: 992094507-3745270394
Opcode ID: 69df7cb737dd3e51747fbe578d65583dad7475f3be71c5b6a57530708f646bad
Instruction ID: 86b5945e9e48924422df39df39c03bc2c47688d530c5ebe112a2ba5b5a22ff69
Opcode Fuzzy Hash: 69df7cb737dd3e51747fbe578d65583dad7475f3be71c5b6a57530708f646bad
Instruction Fuzzy Hash: E051A372769F8087DBA0DF11E8587AAB7A8F789B4DF444115DA8E03B58EF38D485CB04

Function 00000254A27D0508 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 231
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00000254A27D0627
GetProcAddressForCaller.KERNELBASE ref: 00000254A27D06C1

Strings

ntdl, xrefs: 00000254A27D0593
ntdl, xrefs: 00000254A27D0541
ocat, xrefs: 00000254A27D0566
lloc, xrefs: 00000254A27D05AE
eHea, xrefs: 00000254A27D056D
l.dl, xrefs: 00000254A27D059A
l.dl, xrefs: 00000254A27D054B
RtlA, xrefs: 00000254A27D05A7
eap, xrefs: 00000254A27D05BC
RtlR, xrefs: 00000254A27D0558
eAll, xrefs: 00000254A27D055F
ateH, xrefs: 00000254A27D05B5

Memory Dump Source

Source File: 00000003.00000002.3266861703.00000254A27D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000254A27D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a27d0000_svchost.jbxd

Similarity

API ID: AddressCallerLibraryLoadProc
String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
API String ID: 4215043672-3994871222
Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
Instruction ID: 5da7f39cbacceb92399f880ac11b8483b1045c25be6ff878235f79e0700b892a
Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
Instruction Fuzzy Hash: D0710434608E098FEF99EF58C85A7B9B7E1FF84311F20111AD809C7685DB34D9828F89

Function 00000254A27A0508 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 231
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00000254A27A0627

Strings

ateH, xrefs: 00000254A27A05B5
eHea, xrefs: 00000254A27A056D
l.dl, xrefs: 00000254A27A059A
ntdl, xrefs: 00000254A27A0541
l.dl, xrefs: 00000254A27A054B
RtlR, xrefs: 00000254A27A0558
RtlA, xrefs: 00000254A27A05A7
eap, xrefs: 00000254A27A05BC
ntdl, xrefs: 00000254A27A0593
lloc, xrefs: 00000254A27A05AE
ocat, xrefs: 00000254A27A0566
eAll, xrefs: 00000254A27A055F

Memory Dump Source

Source File: 00000003.00000002.3266794097.00000254A27A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000254A27A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a27a0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
API String ID: 1029625771-3994871222
Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
Instruction ID: 9021d3ecbc34b4970be65b13060bafbda6fe6850f1967d82835826a3cbf9b043
Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
Instruction Fuzzy Hash: 21712534608E098FEF99EF18C8597B9B3E1FF84325F600519D809C7685DB34D9828B89

Function 00000254A391D7D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62
commemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32 ref: 00000254A391D820
CoCreateInstance.COMBASE ref: 00000254A391D845
CoUninitialize.OLE32 ref: 00000254A391D86E
SysAllocString.OLEAUT32 ref: 00000254A391D886
SysFreeString.OLEAUT32 ref: 00000254A391D8A0
CoUninitialize.OLE32 ref: 00000254A391D8BA

Strings

Block All Outbound, xrefs: 00000254A391D87A

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: StringUninitialize$AllocCreateFreeInitializeInstance
String ID: Block All Outbound
API String ID: 4211003860-2946277995
Opcode ID: 295a4f62168f5a6f5119dea70b951de674f26a9291ccd047ab80a2b95cdfc5e8
Instruction ID: 189f63c7de1312f109f0e44edda26ca381830a740d9805d5651fbb2796c5a728
Opcode Fuzzy Hash: 295a4f62168f5a6f5119dea70b951de674f26a9291ccd047ab80a2b95cdfc5e8
Instruction Fuzzy Hash: EB310676B51B40CAEB40AF35DC5429C7BB4F788B8DB044926DA1E57B28EF34C698CB44

Function 00000254A390F560 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 113
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00000254A390F59E
memcpy.NTDLL ref: 00000254A390F5BA
VirtualFree.KERNEL32 ref: 00000254A390F6AF
VirtualFree.KERNEL32 ref: 00000254A390F6CF
VirtualFree.KERNELBASE ref: 00000254A390F6E4

Strings

Z, xrefs: 00000254A390F5C4
M, xrefs: 00000254A390F5BF

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$Allocmemcpy
String ID: M$Z
API String ID: 2981101286-4250246861
Opcode ID: ec89bfb9e9449c1fd831b7383df3345bb054ba2f3537415f9bda132d024155c3
Instruction ID: ed516a3b5567930e260dadeec33cf3d333e93587ae9c5c35d7142cf1de25be91
Opcode Fuzzy Hash: ec89bfb9e9449c1fd831b7383df3345bb054ba2f3537415f9bda132d024155c3
Instruction Fuzzy Hash: AA410722B20FC482FB91EB3D982836D9754B7D6B9DF148316DA9617395FF39C5808304

Function 00000254A390FE20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
processthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00000254A390FEBC
GetLastError.KERNEL32 ref: 00000254A390FEC6
CloseHandle.KERNEL32 ref: 00000254A390FED8
CloseHandle.KERNEL32 ref: 00000254A390FEED
SuspendThread.KERNEL32 ref: 00000254A390FEFC

Strings

h, xrefs: 00000254A390FEB4

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcessSuspendThread
String ID: h
API String ID: 2500411409-2439710439
Opcode ID: 0b268da3d10d4c3e51607ed6fa644b71a4395eb09a036cb45f3a7793d543c8a6
Instruction ID: ead369422e40c87a3e65e6e6996f6a0536ff29f5007936b53e038c467ee1a63a
Opcode Fuzzy Hash: 0b268da3d10d4c3e51607ed6fa644b71a4395eb09a036cb45f3a7793d543c8a6
Instruction Fuzzy Hash: F731AE32A28F8086E790DF51E85835DB3A8F398798F115226EA9903B14EFB9C5D4CB04

Function 00000254A3916F00 Relevance: 9.0, APIs: 6, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadReadPtr.KERNEL32 ref: 00000254A3916F0E
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F2B
VirtualFree.KERNELBASE(?,?,00000000,00000254A3901E65), ref: 00000254A3916F4F
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F66
DeleteCriticalSection.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F70
VirtualFree.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F81

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$FreeVirtual$DeleteEnterLeaveRead
String ID:
API String ID: 4123369522-0
Opcode ID: aa19078ca0c6afd7a821f8a8ac8a84ee5709a37a32491cc2cb8c739b25d204c7
Instruction ID: 0186fd3473cd263e42cff5b1e612b1dd912570cfd0db01f70c7804c4a8cc9f02
Opcode Fuzzy Hash: aa19078ca0c6afd7a821f8a8ac8a84ee5709a37a32491cc2cb8c739b25d204c7
Instruction Fuzzy Hash: B5014421765E4083EBC4AF12E968359A769FB88B8EF484424DF5A07B54EF38C4D98705

Function 00000254A391C950 Relevance: 7.6, APIs: 5, Instructions: 68processCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A391C974
CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A391C97E
Process32FirstW.KERNEL32 ref: 00000254A391C9A1
Process32NextW.KERNEL32 ref: 00000254A391C9BE
CloseHandle.KERNEL32 ref: 00000254A391CA41

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: 44c899de9843c07d997477ea65153a2f26deeedfdeec94036e1e1bc8e67b5a7d
Instruction ID: 6aee2cc9ff312f51de27129b238a3bc2fdd3f3c30eeb8c887491d9fb6c7a3fc2
Opcode Fuzzy Hash: 44c899de9843c07d997477ea65153a2f26deeedfdeec94036e1e1bc8e67b5a7d
Instruction Fuzzy Hash: DE318D22B19F8482E791CB38D9183ACB764F399B9CF09A315DF9812656EF34D6C9C700

Function 00000001800019D0 Relevance: 4.5, APIs: 3, Instructions: 16fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00000001800019D9
SleepEx.KERNEL32 ref: 00000001800019E8
DeleteFileW.KERNEL32 ref: 00000001800019F1

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: DeleteFile$Sleep
String ID:
API String ID: 2100639427-0
Opcode ID: 819f48160997e5889829df66ddb1cfbaf94046e4fda21bae77f85b2f67c4eaa9
Instruction ID: ee9c1bd20bde787a3df6403edb75ddca03fdaf3f5216dae4a0b383b50a80e175
Opcode Fuzzy Hash: 819f48160997e5889829df66ddb1cfbaf94046e4fda21bae77f85b2f67c4eaa9
Instruction Fuzzy Hash: 5CD05E20301A0986FB9A5BB2E8583E613A85B0DBD2F0860249C1685280DF18C7CE8301

Function 00000254A27A0345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00000254A27A0395

Memory Dump Source

Source File: 00000003.00000002.3266794097.00000254A27A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000254A27A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a27a0000_svchost.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction ID: 75997eec585f0317f8414c677bffcf0459e421bc355df8ea6b1ca7857b1911b4
Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction Fuzzy Hash: DC31E53568CA008BDB5DEA1CE8D1678B3D0F755315B70055DE9C7C7187EA39E8438689

Function 00000254A27D0345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00000254A27D0395

Memory Dump Source

Source File: 00000003.00000002.3266861703.00000254A27D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000254A27D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a27d0000_svchost.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction ID: e3ed0f516c29daf8e20b6b3a591f9c0d0636def2597ccc9132ac2315a0f12283
Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction Fuzzy Hash: A831F73168CA008BDB5DEA1CF8D1678B3D0F755305B34125DD9C7C7187EA39E8438A89

Function 00000254A37A0345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00000254A37A0395

Memory Dump Source

Source File: 00000003.00000002.3270556202.00000254A37A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000254A37A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a37a0000_svchost.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction ID: 860a56479e6b6f1a27eea03da12e5a8079273d5b1b53adc3a4a94059fa77ebec
Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
Instruction Fuzzy Hash: DD312735A98A008BDB4DEA0CF8D1678B3D0F758309F60455CE5C7C7187EA39E8438689

Non-executed Functions

Function 00000254A3905FB0 Relevance: 105.2, APIs: 47, Strings: 13, Instructions: 229threadsleepstringCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00000254A3906010

Part of subcall function 00000254A391C950: memset.NTDLL ref: 00000254A391C974
Part of subcall function 00000254A391C950: CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A391C97E
Part of subcall function 00000254A391C950: Process32FirstW.KERNEL32 ref: 00000254A391C9A1
Part of subcall function 00000254A391C950: Process32NextW.KERNEL32 ref: 00000254A391C9BE
Part of subcall function 00000254A391C950: CloseHandle.KERNEL32 ref: 00000254A391CA41

TerminateThread.KERNEL32 ref: 00000254A390604B
TerminateProcess.KERNEL32 ref: 00000254A390607B
lstrcmpiW.KERNEL32 ref: 00000254A3906098
Sleep.KERNEL32 ref: 00000254A39060AD
ExitThread.KERNEL32 ref: 00000254A39060B5

Strings

arphaDump64.dll, xrefs: 00000254A390621F
\drivers\, xrefs: 00000254A3906124
C:\Program Files\Windows Mail, xrefs: 00000254A39061F0, 00000254A3906226, 00000254A390625C, 00000254A3906290, 00000254A39062C4
temp.key, xrefs: 00000254A39062BD
Inject Test, xrefs: 00000254A390608A
MicrosoftEdgeUpdate, xrefs: 00000254A39060D0, 00000254A3906136, 00000254A39063C9
install.cfg, xrefs: 00000254A3906289
arphaDump64.bin, xrefs: 00000254A3906255
arphaCrashReport64.exe, xrefs: 00000254A39061E9
.sys, xrefs: 00000254A3906148
47.238.215.73, xrefs: 00000254A390637F
%s\%s, xrefs: 00000254A39061F7, 00000254A390622D, 00000254A3906263, 00000254A3906297, 00000254A39062CB
sys, xrefs: 00000254A39060E4

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ProcessProcess32TerminateThread$CloseCreateCurrentExitFirstHandleNextSleepSnapshotToolhelp32lstrcmpimemset
String ID: %s\%s$.sys$47.238.215.73$C:\Program Files\Windows Mail$Inject Test$MicrosoftEdgeUpdate$\drivers\$arphaCrashReport64.exe$arphaDump64.bin$arphaDump64.dll$install.cfg$sys$temp.key
API String ID: 946687889-3510217159
Opcode ID: 8dbe50d77f5718792daa63e7825474cf3ac01c488a0ec9092139019c621d13d3
Instruction ID: cef36bdf93a21a04dd00472838125a16e9f8e80ad0dd9aa22c852c45b4efd1ca
Opcode Fuzzy Hash: 8dbe50d77f5718792daa63e7825474cf3ac01c488a0ec9092139019c621d13d3
Instruction Fuzzy Hash: ABC151313A5E8197EB90EF21EC683D9A369F789B4EF844012C54A46565FF38C6CEC709

Function 00000254A3919300 Relevance: 98.4, APIs: 53, Strings: 3, Instructions: 425stringprocessmemoryCOMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 00000254A3919315
memset.NTDLL ref: 00000254A3919337
memset.NTDLL ref: 00000254A391934B
GetCurrentProcess.KERNEL32 ref: 00000254A391937A
OpenProcessToken.ADVAPI32 ref: 00000254A391938D
LookupPrivilegeValueW.ADVAPI32 ref: 00000254A39193B5
AdjustTokenPrivileges.ADVAPI32 ref: 00000254A39193D7
GetLastError.KERNEL32 ref: 00000254A39193DD
CloseHandle.KERNEL32 ref: 00000254A39193F3
CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A39193FE
Process32FirstW.KERNEL32 ref: 00000254A3919437
OpenProcess.KERNEL32 ref: 00000254A391945B
memset.NTDLL ref: 00000254A3919487
lstrcpyW.KERNEL32 ref: 00000254A3919497
GetPriorityClass.KERNEL32 ref: 00000254A39194A9
memset.NTDLL ref: 00000254A39194D8
memset.NTDLL ref: 00000254A39194EC
OpenProcessToken.ADVAPI32 ref: 00000254A3919507
GetTokenInformation.ADVAPI32 ref: 00000254A3919539
GlobalAlloc.KERNEL32 ref: 00000254A3919554
GetTokenInformation.ADVAPI32 ref: 00000254A3919585
LookupAccountSidW.ADVAPI32 ref: 00000254A39195E1
LookupAccountSidW.ADVAPI32 ref: 00000254A391963E
lstrcpyW.KERNEL32 ref: 00000254A3919656
GlobalFree.KERNEL32 ref: 00000254A391965F
CloseHandle.KERNEL32 ref: 00000254A391966F
ProcessIdToSessionId.KERNEL32 ref: 00000254A391967F
K32GetProcessMemoryInfo.KERNEL32 ref: 00000254A39196B3
K32EnumProcessModules.KERNEL32 ref: 00000254A39196E6
K32GetProcessImageFileNameW.KERNEL32 ref: 00000254A39196FC
GetLogicalDriveStringsW.KERNEL32 ref: 00000254A391971E
QueryDosDeviceW.KERNEL32 ref: 00000254A3919774
lstrlenW.KERNEL32 ref: 00000254A3919785
wcsncmp.NTDLL ref: 00000254A391979F
lstrcpyW.KERNEL32 ref: 00000254A39197D5
CreateFileW.KERNEL32 ref: 00000254A39197FF
GetFileSize.KERNEL32 ref: 00000254A3919813
CloseHandle.KERNEL32 ref: 00000254A391982A
lstrcpyW.KERNEL32 ref: 00000254A391983E
lstrcatW.KERNEL32 ref: 00000254A3919856
CloseHandle.KERNEL32 ref: 00000254A3919885
Process32NextW.KERNEL32 ref: 00000254A3919892
GetCurrentProcess.KERNEL32 ref: 00000254A39198B8
OpenProcessToken.ADVAPI32 ref: 00000254A39198CD
LookupPrivilegeValueW.ADVAPI32 ref: 00000254A39198F1
AdjustTokenPrivileges.ADVAPI32 ref: 00000254A3919915
GetLastError.KERNEL32 ref: 00000254A391991B
CloseHandle.KERNEL32 ref: 00000254A3919931
CloseHandle.KERNEL32 ref: 00000254A391993F
VirtualFree.KERNEL32 ref: 00000254A39199D9
VirtualFree.KERNEL32 ref: 00000254A3919A03
VirtualFree.KERNEL32 ref: 00000254A3919A21
VirtualFree.KERNEL32 ref: 00000254A3919A4B

Strings

H, xrefs: 00000254A39196A3
unknown, xrefs: 00000254A3919706
SeDebugPrivilege, xrefs: 00000254A39193A4, 00000254A39198E4

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Process$Token$CloseHandle$Freememset$LookupOpenVirtuallstrcpy$File$AccountAdjustCreateCurrentErrorGlobalInformationLastPrivilegePrivilegesProcess32Value$AllocClassDeviceDriveEnumFirstImageInfoLogicalMemoryModulesNameNextPriorityQuerySessionSizeSnapshotStringsToolhelp32__chkstklstrcatlstrlenwcsncmp
String ID: H$SeDebugPrivilege$unknown
API String ID: 976869081-3969872153
Opcode ID: 6a6d9660973f71720e87b200dc9c58f4d9867713f3a693197156d62844a92ba2
Instruction ID: 599204c2c1a9930a977226fe37f2fa73f4452e5aed3b2ef2f4890b5313071a4b
Opcode Fuzzy Hash: 6a6d9660973f71720e87b200dc9c58f4d9867713f3a693197156d62844a92ba2
Instruction Fuzzy Hash: DC229132725F8086EBA0EF21DC583D9B7A8F788B9DF404115DA4957A98EF38C6C9C744

Function 00000254A390EA40 Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 330memorystringprocessCOMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 00000254A390EA54
memset.NTDLL ref: 00000254A390EA78
GetWindowsDirectoryW.KERNEL32 ref: 00000254A390EA86
GetLastError.KERNEL32 ref: 00000254A390EA90
lstrcatW.KERNEL32 ref: 00000254A390EAA9
CreateFileW.KERNEL32 ref: 00000254A390EB28
GetLastError.KERNEL32 ref: 00000254A390EB37
WriteFile.KERNEL32 ref: 00000254A390EB54
GetLastError.KERNEL32 ref: 00000254A390EB5E
CloseHandle.KERNEL32 ref: 00000254A390EB6C
CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A390EB83
GetProcessHeap.KERNEL32 ref: 00000254A390EB92
HeapAlloc.KERNEL32 ref: 00000254A390EBA6
CloseHandle.KERNEL32 ref: 00000254A390EBB7
GetLastError.KERNEL32 ref: 00000254A390EBBD
Process32FirstW.KERNEL32 ref: 00000254A390EBFA
lstrcmpiW.KERNEL32 ref: 00000254A390EC0F
Process32NextW.KERNEL32 ref: 00000254A390EC2E
GetProcessHeap.KERNEL32 ref: 00000254A390EC38
HeapFree.KERNEL32 ref: 00000254A390EC46
CloseHandle.KERNEL32 ref: 00000254A390EC54
memset.NTDLL ref: 00000254A390EC69
memset.NTDLL ref: 00000254A390EC7D
memset.NTDLL ref: 00000254A390EC91
memset.NTDLL ref: 00000254A390ECA5
memset.NTDLL ref: 00000254A390ED41
memset.NTDLL ref: 00000254A390ED55
PathRemoveFileSpecW.SHLWAPI ref: 00000254A390ED6F
wsprintfW.USER32 ref: 00000254A390ED8D
CreateProcessW.KERNEL32 ref: 00000254A390EDD3
CloseHandle.KERNEL32 ref: 00000254A390EDE5
CloseHandle.KERNEL32 ref: 00000254A390EDFA
memset.NTDLL ref: 00000254A390EE18
wsprintfW.USER32 ref: 00000254A390EE35
lstrlenW.KERNEL32 ref: 00000254A390EE42
VirtualFree.KERNEL32 ref: 00000254A390EF39
VirtualFree.KERNEL32 ref: 00000254A390EF63
VirtualFree.KERNEL32 ref: 00000254A390EF79
VirtualFree.KERNEL32 ref: 00000254A390EFA3

Part of subcall function 00000254A3916F00: IsBadReadPtr.KERNEL32 ref: 00000254A3916F0E
Part of subcall function 00000254A3916F00: EnterCriticalSection.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F2B
Part of subcall function 00000254A3916F00: VirtualFree.KERNELBASE(?,?,00000000,00000254A3901E65), ref: 00000254A3916F4F
Part of subcall function 00000254A3916F00: LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F66
Part of subcall function 00000254A3916F00: DeleteCriticalSection.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F70
Part of subcall function 00000254A3916F00: VirtualFree.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F81

Strings

"tdata\key_datas" "tdata\D877F783D5D3EF8Cs" "tdata\D877F783D5D3EF8C\configs" "tdata\D877F783D5D3EF8C\maps" "tdata\A7FDF864FBC10B77, xrefs: 00000254A390ED75
\rar.exe, xrefs: 00000254A390EA96
%s\tdata_%d.rar, xrefs: 00000254A390EE27
Telegram.exe, xrefs: 00000254A390EC08
rar.exe a "tdata_%d.rar" %s -m5, xrefs: 00000254A390ED7F

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memset$Free$Virtual$CloseHandle$ErrorHeapLast$CreateCriticalFileProcessSection$Process32wsprintf$AllocDeleteDirectoryEnterFirstLeaveNextPathReadRemoveSnapshotSpecToolhelp32WindowsWrite__chkstklstrcatlstrcmpilstrlen
String ID: "tdata\key_datas" "tdata\D877F783D5D3EF8Cs" "tdata\D877F783D5D3EF8C\configs" "tdata\D877F783D5D3EF8C\maps" "tdata\A7FDF864FBC10B77$%s\tdata_%d.rar$Telegram.exe$\rar.exe$rar.exe a "tdata_%d.rar" %s -m5
API String ID: 1825664495-2162963810
Opcode ID: 08fa0c8610ccb77aff50ece9baa1541d2cea37af8860a12628358939bf64a7d1
Instruction ID: 47dbfb2cedf308bb4fb2e2756a614d9e6d37cac4071dea2a61a8f1ec361b032c
Opcode Fuzzy Hash: 08fa0c8610ccb77aff50ece9baa1541d2cea37af8860a12628358939bf64a7d1
Instruction Fuzzy Hash: 32E18222764F8087F7A4EF61EC6869DA769F789B8EF404114CE4A47A54EF38C2C9C705

Function 00000254A39076E0 Relevance: 73.8, APIs: 26, Strings: 16, Instructions: 273memorythreadstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A3907709
GetSystemDirectoryW.KERNEL32 ref: 00000254A390771A
GetLastError.KERNEL32 ref: 00000254A3907724
lstrcatW.KERNEL32 ref: 00000254A39078FB
IsBadReadPtr.KERNEL32 ref: 00000254A3907910
EnterCriticalSection.KERNEL32 ref: 00000254A3907926
LeaveCriticalSection.KERNEL32 ref: 00000254A3907949

Part of subcall function 00000254A3910680: VirtualAlloc.KERNEL32(?,?,?,?,?,?,00100000,00000254A3901B37), ref: 00000254A3910697
Part of subcall function 00000254A3910680: GetCurrentProcess.KERNEL32 ref: 00000254A39106C8
Part of subcall function 00000254A3910680: OpenProcessToken.ADVAPI32 ref: 00000254A39106D9
Part of subcall function 00000254A3910680: LookupPrivilegeValueW.ADVAPI32 ref: 00000254A3910701
Part of subcall function 00000254A3910680: AdjustTokenPrivileges.KERNELBASE ref: 00000254A3910721
Part of subcall function 00000254A3910680: GetLastError.KERNEL32 ref: 00000254A3910727
Part of subcall function 00000254A3910680: CloseHandle.KERNEL32 ref: 00000254A391073B
Part of subcall function 00000254A3910680: VirtualAlloc.KERNEL32 ref: 00000254A3910752
Part of subcall function 00000254A3910680: InitializeCriticalSection.KERNEL32 ref: 00000254A3910764
Part of subcall function 00000254A3910680: IsBadReadPtr.KERNEL32 ref: 00000254A391077D
Part of subcall function 00000254A3910680: EnterCriticalSection.KERNEL32 ref: 00000254A3910790
Part of subcall function 00000254A3910680: VirtualAlloc.KERNEL32 ref: 00000254A39107A7
Part of subcall function 00000254A3910680: LeaveCriticalSection.KERNEL32 ref: 00000254A39107D6
Part of subcall function 00000254A3910680: IsBadReadPtr.KERNEL32 ref: 00000254A39107E8
Part of subcall function 00000254A3910680: EnterCriticalSection.KERNEL32 ref: 00000254A39107FB
Part of subcall function 00000254A3910680: VirtualAlloc.KERNEL32 ref: 00000254A3910812

IsBadReadPtr.KERNEL32 ref: 00000254A39079C4
EnterCriticalSection.KERNEL32 ref: 00000254A39079D7
VirtualAlloc.KERNEL32 ref: 00000254A39079EF
LeaveCriticalSection.KERNEL32 ref: 00000254A3907A13
CreateThread.KERNEL32 ref: 00000254A3907A43
IsBadReadPtr.KERNEL32 ref: 00000254A3907A67
EnterCriticalSection.KERNEL32 ref: 00000254A3907A7A
VirtualAlloc.KERNEL32 ref: 00000254A3907A91
LeaveCriticalSection.KERNEL32 ref: 00000254A3907AB5
memset.NTDLL ref: 00000254A3907AD5
GetCurrentProcessId.KERNEL32 ref: 00000254A3907ADA
wsprintfW.USER32 ref: 00000254A3907AF4
IsBadReadPtr.KERNEL32 ref: 00000254A3907B17
EnterCriticalSection.KERNEL32 ref: 00000254A3907B2A
VirtualAlloc.KERNEL32 ref: 00000254A3907B41
LeaveCriticalSection.KERNEL32 ref: 00000254A3907B65
CreateThread.KERNEL32 ref: 00000254A3907B87
VirtualFree.KERNEL32 ref: 00000254A3907BAD
LeaveCriticalSection.KERNEL32 ref: 00000254A3907BDD

Strings

{:~:, xrefs: 00000254A3907845
R:U:, xrefs: 00000254A3907753
~:~:, xrefs: 00000254A390784C
j:H:, xrefs: 00000254A3907792
I:N:, xrefs: 00000254A390775F
\\.\Pipe\%d_pipe%d, xrefs: 00000254A3907AE3
:, xrefs: 00000254A3907890
B:_:, xrefs: 00000254A3907777
V:V:, xrefs: 00000254A3907747
f:^:, xrefs: 00000254A390773B
_:I:, xrefs: 00000254A39077BC
U:Y:, xrefs: 00000254A39077B4
A:|:, xrefs: 00000254A39077DA
^:, xrefs: 00000254A39077CC
:G:, xrefs: 00000254A390786F
I:S:, xrefs: 00000254A39077C4

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$Alloc$EnterLeaveRead$Process$CreateCurrentErrorLastThreadTokenmemset$AdjustCloseDirectoryFreeHandleInitializeLookupOpenPrivilegePrivilegesSystemValuelstrcatwsprintf
String ID: :G:$:$A:|:$B:_:$I:N:$I:S:$R:U:$U:Y:$V:V:$\\.\Pipe\%d_pipe%d$^:$_:I:$f:^:$j:H:${:~:$~:~:
API String ID: 1888231936-1994672154
Opcode ID: d1dc49243b75cc45df72bb56242f6d83b0d0b9c438548c6c26e7b7a07f614e83
Instruction ID: 38493eafba8f840d546725375ccf5113ea4200ee21a7f4775d68f7408e7cbfbf
Opcode Fuzzy Hash: d1dc49243b75cc45df72bb56242f6d83b0d0b9c438548c6c26e7b7a07f614e83
Instruction Fuzzy Hash: F7E1B273614F8087E7509F21E8147AEBBA8F789B9DF049215DE9907A58EF38D5C4CB04

Function 00000254A3917290 Relevance: 72.1, APIs: 38, Strings: 3, Instructions: 334stringnetworkmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A39172B9
lstrlenW.KERNEL32 ref: 00000254A39172D6
lstrlenW.KERNEL32 ref: 00000254A39172E9
GetCurrentProcess.KERNEL32 ref: 00000254A39172FF
OpenProcessToken.ADVAPI32 ref: 00000254A3917313
LookupPrivilegeValueW.ADVAPI32 ref: 00000254A391733B
AdjustTokenPrivileges.ADVAPI32 ref: 00000254A391735D
GetLastError.KERNEL32 ref: 00000254A3917363
CloseHandle.KERNEL32 ref: 00000254A3917379
GetExtendedTcpTable.IPHLPAPI ref: 00000254A391739F
VirtualAlloc.KERNEL32 ref: 00000254A39173B7
GetExtendedTcpTable.IPHLPAPI ref: 00000254A39173EA
VirtualFree.KERNEL32 ref: 00000254A39173FF
memset.NTDLL ref: 00000254A391747F
lstrlenW.KERNEL32 ref: 00000254A391749A
memset.NTDLL ref: 00000254A3917519
inet_ntoa.WS2_32 ref: 00000254A3917521
lstrcpyA.KERNEL32 ref: 00000254A391752E
lstrlenA.KERNEL32 ref: 00000254A3917538
htons.WS2_32 ref: 00000254A3917567
memset.NTDLL ref: 00000254A39175A6
inet_ntoa.WS2_32 ref: 00000254A39175AE
lstrcpyA.KERNEL32 ref: 00000254A39175BE
lstrlenA.KERNEL32 ref: 00000254A39175CB
htons.WS2_32 ref: 00000254A39175FD
memset.NTDLL ref: 00000254A391762C
lstrlenW.KERNEL32 ref: 00000254A3917647
VirtualFree.KERNEL32 ref: 00000254A391769E
GetCurrentProcess.KERNEL32 ref: 00000254A39176B4
OpenProcessToken.ADVAPI32 ref: 00000254A39176C9
LookupPrivilegeValueW.ADVAPI32 ref: 00000254A39176EE
AdjustTokenPrivileges.ADVAPI32 ref: 00000254A3917712
GetLastError.KERNEL32 ref: 00000254A3917718
CloseHandle.KERNEL32 ref: 00000254A391772E
VirtualFree.KERNEL32 ref: 00000254A39177D7
VirtualFree.KERNEL32 ref: 00000254A3917801
VirtualFree.KERNEL32 ref: 00000254A391781F
VirtualFree.KERNEL32 ref: 00000254A3917849

Strings

System, xrefs: 00000254A39172DE
SeDebugPrivilege, xrefs: 00000254A391732A, 00000254A39176E0
TCP, xrefs: 00000254A39172C1, 00000254A3917500

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Freelstrlen$memset$ProcessToken$AdjustCloseCurrentErrorExtendedHandleLastLookupOpenPrivilegePrivilegesTableValuehtonsinet_ntoalstrcpy$Alloc
String ID: SeDebugPrivilege$System$TCP
API String ID: 2139412910-32757284
Opcode ID: 384d3e7db38810127ba93bf50e6bd7a6e267d232edd2a4c281dac7082b692298
Instruction ID: 9bde93dc4db52ff0dee1f3f8cc8afe20da93a97da6d7e8fd0393465a5fac226d
Opcode Fuzzy Hash: 384d3e7db38810127ba93bf50e6bd7a6e267d232edd2a4c281dac7082b692298
Instruction Fuzzy Hash: 26F19376325B8086EBA0EF25EC5879EB764F789B9DF404115CA4A47B58EF38C5C8CB04

Function 00000254A3906630 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 267stringfileprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A390668C
VirtualFree.KERNEL32 ref: 00000254A39066B6
VirtualAlloc.KERNEL32 ref: 00000254A390671B
VirtualFree.KERNEL32 ref: 00000254A390674D
VirtualFree.KERNEL32 ref: 00000254A3906777
memcpy.NTDLL ref: 00000254A390679D
memcpy.NTDLL ref: 00000254A3906848
memset.NTDLL ref: 00000254A3906859
memset.NTDLL ref: 00000254A390686D
lstrcatW.KERNEL32 ref: 00000254A390687D
lstrcatW.KERNEL32 ref: 00000254A390688E
lstrcatW.KERNEL32 ref: 00000254A390689F
lstrcatW.KERNEL32 ref: 00000254A39068B0
lstrcatW.KERNEL32 ref: 00000254A39068C4
MoveFileW.KERNEL32 ref: 00000254A39068D5
CreateFileW.KERNEL32 ref: 00000254A3906909
GetLastError.KERNEL32 ref: 00000254A3906918
WriteFile.KERNEL32 ref: 00000254A3906937
GetLastError.KERNEL32 ref: 00000254A3906941
CloseHandle.KERNEL32 ref: 00000254A3906951
MoveFileW.KERNEL32 ref: 00000254A3906966
VirtualFree.KERNEL32 ref: 00000254A3906977
CloseHandle.KERNEL32 ref: 00000254A390698A
DeleteFileW.KERNEL32 ref: 00000254A3906997
VirtualFree.KERNEL32 ref: 00000254A39069A8
memset.NTDLL ref: 00000254A39069FD
lstrcatW.KERNEL32 ref: 00000254A3906A10
lstrcatW.KERNEL32 ref: 00000254A3906A24
lstrcatW.KERNEL32 ref: 00000254A3906A38
CreateProcessW.KERNEL32 ref: 00000254A3906A78
GetLastError.KERNEL32 ref: 00000254A3906A82
CloseHandle.KERNEL32 ref: 00000254A3906A92
CloseHandle.KERNEL32 ref: 00000254A3906AA7
GetCurrentProcess.KERNEL32 ref: 00000254A3906AB2
TerminateProcess.KERNEL32 ref: 00000254A3906AC0

Strings

C:\Program Files\Windows Mail, xrefs: 00000254A3906872, 00000254A3906A02
47.238.215.73, xrefs: 00000254A3906790
h, xrefs: 00000254A39069C7
.bak, xrefs: 00000254A39068B6
arphaDump64.bin, xrefs: 00000254A3906894
arphaCrashReport64.exe, xrefs: 00000254A3906A2A

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$lstrcat$AllocCriticalFreeSection$File$CloseHandle$EnterErrorLastProcessReadmemset$CreateLeaveMovememcpy$CurrentDeleteInitializeTerminateWrite
String ID: .bak$47.238.215.73$C:\Program Files\Windows Mail$arphaCrashReport64.exe$arphaDump64.bin$h
API String ID: 2211108363-1420762985
Opcode ID: f313ddb08190d7dbab8043538d75833c288af8143399ff6012ff730f18fde2a1
Instruction ID: 3f720acac7c00ee7a51dec6e70fbc9e3062434a3cbe74571afbda6062622933f
Opcode Fuzzy Hash: f313ddb08190d7dbab8043538d75833c288af8143399ff6012ff730f18fde2a1
Instruction Fuzzy Hash: DBD1D422725F8187EBA0EF35DC683A9A365FB89B4DF005225DA4A17A54FF38C1D9C704

Function 00000254A3917870 Relevance: 66.8, APIs: 34, Strings: 4, Instructions: 324stringmemorynetworkCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A3917899
lstrlenW.KERNEL32 ref: 00000254A39178B6
lstrlenW.KERNEL32 ref: 00000254A39178C9
GetCurrentProcess.KERNEL32 ref: 00000254A39178DF
OpenProcessToken.ADVAPI32 ref: 00000254A39178F3
LookupPrivilegeValueW.ADVAPI32 ref: 00000254A391791B
AdjustTokenPrivileges.ADVAPI32 ref: 00000254A391793D
GetLastError.KERNEL32 ref: 00000254A3917943
CloseHandle.KERNEL32 ref: 00000254A3917959
GetExtendedUdpTable.IPHLPAPI ref: 00000254A391797F
VirtualAlloc.KERNEL32 ref: 00000254A3917997
GetExtendedUdpTable.IPHLPAPI ref: 00000254A39179CA
VirtualFree.KERNEL32 ref: 00000254A39179DF
memset.NTDLL ref: 00000254A3917A5F
lstrlenW.KERNEL32 ref: 00000254A3917A7A
memset.NTDLL ref: 00000254A3917AF9
inet_ntoa.WS2_32 ref: 00000254A3917B01
lstrcpyA.KERNEL32 ref: 00000254A3917B0E
lstrlenA.KERNEL32 ref: 00000254A3917B18
htons.WS2_32 ref: 00000254A3917B47
lstrlenA.KERNEL32 ref: 00000254A3917B84
memset.NTDLL ref: 00000254A3917BDB
lstrlenW.KERNEL32 ref: 00000254A3917BF6
VirtualFree.KERNEL32 ref: 00000254A3917C4D
GetCurrentProcess.KERNEL32 ref: 00000254A3917C63
OpenProcessToken.ADVAPI32 ref: 00000254A3917C78
LookupPrivilegeValueW.ADVAPI32 ref: 00000254A3917C9D
AdjustTokenPrivileges.ADVAPI32 ref: 00000254A3917CC1
GetLastError.KERNEL32 ref: 00000254A3917CC7
CloseHandle.KERNEL32 ref: 00000254A3917CDD
VirtualFree.KERNEL32 ref: 00000254A3917D84
VirtualFree.KERNEL32 ref: 00000254A3917DAE
VirtualFree.KERNEL32 ref: 00000254A3917DCC
VirtualFree.KERNEL32 ref: 00000254A3917DF6

Part of subcall function 00000254A3916F00: IsBadReadPtr.KERNEL32 ref: 00000254A3916F0E
Part of subcall function 00000254A3916F00: EnterCriticalSection.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F2B
Part of subcall function 00000254A3916F00: VirtualFree.KERNELBASE(?,?,00000000,00000254A3901E65), ref: 00000254A3916F4F
Part of subcall function 00000254A3916F00: LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F66
Part of subcall function 00000254A3916F00: DeleteCriticalSection.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F70
Part of subcall function 00000254A3916F00: VirtualFree.KERNEL32(?,?,00000000,00000254A3901E65), ref: 00000254A3916F81

Strings

System, xrefs: 00000254A39178BE
UDP, xrefs: 00000254A39178A1, 00000254A3917AE0
SeDebugPrivilege, xrefs: 00000254A391790A, 00000254A3917C8F
0.0.0.0, xrefs: 00000254A3917B7D, 00000254A3917BA4

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$lstrlen$ProcessTokenmemset$CriticalSection$AdjustCloseCurrentErrorExtendedHandleLastLookupOpenPrivilegePrivilegesTableValue$AllocDeleteEnterLeaveReadhtonsinet_ntoalstrcpy
String ID: 0.0.0.0$SeDebugPrivilege$System$UDP
API String ID: 3759433425-459619966
Opcode ID: 2bc8028b07d01d9ba69e09a3802a839e12856a2c9f2d2d692c2ea6f1d234ecb0
Instruction ID: d7952207390b29859a0d6b143aa8b3924a40401b222047644e02f55a83687b2b
Opcode Fuzzy Hash: 2bc8028b07d01d9ba69e09a3802a839e12856a2c9f2d2d692c2ea6f1d234ecb0
Instruction Fuzzy Hash: 7BF19376325F4086EBA0EF21EC6879EB765F788B9DF404115CA4A47B58EF38C588CB04

Function 00000254A3918880 Relevance: 63.3, APIs: 26, Strings: 10, Instructions: 311stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A39188D0
VirtualFree.KERNEL32 ref: 00000254A39188FA
VirtualAlloc.KERNEL32 ref: 00000254A3918949
IsBadReadPtr.KERNEL32 ref: 00000254A39189AB
EnterCriticalSection.KERNEL32 ref: 00000254A39189D3
LeaveCriticalSection.KERNEL32 ref: 00000254A39189F6
IsBadReadPtr.KERNEL32 ref: 00000254A3918A5C
VirtualAlloc.KERNEL32 ref: 00000254A3918A92
VirtualFree.KERNEL32 ref: 00000254A3918AC1
VirtualFree.KERNEL32 ref: 00000254A3918AEB
memset.NTDLL ref: 00000254A3918B00
lstrcatA.KERNEL32 ref: 00000254A3918B21
LeaveCriticalSection.KERNEL32 ref: 00000254A3918B3E
lstrcatW.KERNEL32 ref: 00000254A3918B66
memcpy.NTDLL ref: 00000254A3918C20
memset.NTDLL ref: 00000254A3918C46
GetWindowsDirectoryW.KERNEL32 ref: 00000254A3918C5D
GetLastError.KERNEL32 ref: 00000254A3918C67
lstrcatW.KERNEL32 ref: 00000254A3918C78
GetSystemDirectoryW.KERNEL32 ref: 00000254A3918C90
GetLastError.KERNEL32 ref: 00000254A3918C9A
lstrcatW.KERNEL32 ref: 00000254A3918D1D
lstrcatW.KERNEL32 ref: 00000254A3918D2E
lstrcatW.KERNEL32 ref: 00000254A3918D3B
VirtualFree.KERNEL32 ref: 00000254A3918D8B
VirtualFree.KERNEL32 ref: 00000254A3918D9C

Strings

I:N:, xrefs: 00000254A3918CCB
UDP, xrefs: 00000254A3918B4D
HTTP, xrefs: 00000254A3918B58
f:^:, xrefs: 00000254A3918CB8
\syswow64, xrefs: 00000254A3918C6D
:, xrefs: 00000254A3918CE3
V:V:, xrefs: 00000254A3918CB0
B:_:, xrefs: 00000254A3918CDB
R:U:, xrefs: 00000254A3918CBD
TCP, xrefs: 00000254A3918B32

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Freelstrcat$Read$EnterLeave$DirectoryErrorLastmemset$InitializeSystemWindowsmemcpy
String ID: :$B:_:$HTTP$I:N:$R:U:$TCP$UDP$V:V:$\syswow64$f:^:
API String ID: 1846020110-2823427824
Opcode ID: e9a6c1f68d46521105151d4f1ece7a9abb65f008cd8859d4eff4fac00e1c520e
Instruction ID: b8c64a94f42aa604b32b368496354d3008f0eb42a7fbbe143e047f4df408a95d
Opcode Fuzzy Hash: e9a6c1f68d46521105151d4f1ece7a9abb65f008cd8859d4eff4fac00e1c520e
Instruction Fuzzy Hash: 32E1D332365E8087EBA0AF22D8687ADA764F789B8DF444111CE4A17A54EF38C989C705

Function 00000254A3908DA0 Relevance: 63.2, APIs: 28, Strings: 8, Instructions: 243memorystringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3908DF9
VirtualFree.KERNEL32 ref: 00000254A3908E23
memset.NTDLL ref: 00000254A3908E60
lstrcatA.KERNEL32 ref: 00000254A3908E81
lstrcatW.KERNEL32 ref: 00000254A3908EB4
memcpy.NTDLL ref: 00000254A3908F7B
memset.NTDLL ref: 00000254A3908FA4
GetWindowsDirectoryW.KERNEL32 ref: 00000254A3908FB6
GetLastError.KERNEL32 ref: 00000254A3908FC0
lstrcatW.KERNEL32 ref: 00000254A3908FD2
GetSystemDirectoryW.KERNEL32 ref: 00000254A3908FE7
GetLastError.KERNEL32 ref: 00000254A3908FF1
lstrcatW.KERNEL32 ref: 00000254A3909003
CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A3909015
GetProcessHeap.KERNEL32 ref: 00000254A3909024
HeapAlloc.KERNEL32 ref: 00000254A3909038
CloseHandle.KERNEL32 ref: 00000254A3909049
WTSGetActiveConsoleSessionId.KERNEL32 ref: 00000254A3909059
Process32FirstW.KERNEL32 ref: 00000254A390906A
lstrcmpiW.KERNEL32 ref: 00000254A390907F
Process32NextW.KERNEL32 ref: 00000254A390908F
GetProcessHeap.KERNEL32 ref: 00000254A390909F
HeapFree.KERNEL32 ref: 00000254A39090AD
CloseHandle.KERNEL32 ref: 00000254A39090B6
ProcessIdToSessionId.KERNEL32 ref: 00000254A39090CB
VirtualFree.KERNEL32 ref: 00000254A3909115
VirtualFree.KERNEL32 ref: 00000254A3909145
VirtualFree.KERNEL32 ref: 00000254A3909163

Strings

, xrefs: 00000254A3908FA9
UDP, xrefs: 00000254A3908E9B
@, xrefs: 00000254A3908FDA
HTTP, xrefs: 00000254A3908EA6
\syswow64, xrefs: 00000254A3908FC6
\dllhost.exe, xrefs: 00000254A3908FF7
TCP, xrefs: 00000254A3908E92
explorer.exe, xrefs: 00000254A3909078

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalFreeSection$Heaplstrcat$EnterProcessRead$CloseDirectoryErrorHandleLastLeaveProcess32Sessionmemset$ActiveConsoleCreateFirstInitializeNextSnapshotSystemToolhelp32Windowslstrcmpimemcpy
String ID: $@$HTTP$TCP$UDP$\dllhost.exe$\syswow64$explorer.exe
API String ID: 2239626338-2826464075
Opcode ID: 5757aa08a514de2e174b95a11b239ba89f8451405a39913d70d3799bc8b63680
Instruction ID: d0caf9828f054644eb1476d1c38778d3267a358dcd34f897e7db93f4b01e3dd7
Opcode Fuzzy Hash: 5757aa08a514de2e174b95a11b239ba89f8451405a39913d70d3799bc8b63680
Instruction Fuzzy Hash: 19B1A521765F8083FB94AF35EC687A9A365FB8DB8EF404211CA4A46A54FF38C5C9C305

Function 00000254A3919E10 Relevance: 59.8, APIs: 30, Strings: 4, Instructions: 347stringmemoryinjectionCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A3919EBC
GetLastError.KERNEL32 ref: 00000254A3919ECA
VirtualFree.KERNEL32 ref: 00000254A3919EEA
VirtualFree.KERNEL32 ref: 00000254A3919F14
GetLastError.KERNEL32 ref: 00000254A3919F1A
memset.NTDLL ref: 00000254A3919F5A
lstrcatW.KERNEL32 ref: 00000254A391A020
lstrcatW.KERNEL32 ref: 00000254A391A034
lstrcatW.KERNEL32 ref: 00000254A391A048
memset.NTDLL ref: 00000254A391A05D
memset.NTDLL ref: 00000254A391A071
memcpy.NTDLL ref: 00000254A391A18B
VirtualFree.KERNEL32 ref: 00000254A391A1D4
VirtualFree.KERNEL32 ref: 00000254A391A1EA
VirtualFree.KERNEL32 ref: 00000254A391A214
VirtualFree.KERNEL32 ref: 00000254A391A225
OpenProcess.KERNEL32 ref: 00000254A391A25A
VirtualAllocEx.KERNEL32 ref: 00000254A391A28D
WriteProcessMemory.KERNEL32 ref: 00000254A391A2B6
CreateRemoteThread.KERNEL32 ref: 00000254A391A2E0
VirtualFree.KERNEL32 ref: 00000254A391A2FF
VirtualFree.KERNEL32 ref: 00000254A391A329
VirtualFree.KERNEL32 ref: 00000254A391A33A
GetLastError.KERNEL32 ref: 00000254A391A34F

Part of subcall function 00000254A3919220: VirtualFree.KERNEL32 ref: 00000254A39192AE
Part of subcall function 00000254A3919220: VirtualFree.KERNEL32 ref: 00000254A39192D8

VirtualFree.KERNEL32 ref: 00000254A391A36F
VirtualFree.KERNEL32 ref: 00000254A391A399
VirtualFree.KERNEL32 ref: 00000254A391A3AA
GetLastError.KERNEL32 ref: 00000254A391A3B0
VirtualFree.KERNEL32 ref: 00000254A391A3C8
VirtualFree.KERNEL32 ref: 00000254A391A3F2

Strings

Inject Test, xrefs: 00000254A3919FC6, 00000254A391A026, 00000254A391A03A
:, xrefs: 00000254A391A160
47.238.215.73, xrefs: 00000254A3919F69
@, xrefs: 00000254A391A282

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$ErrorLast$lstrcatmemset$AllocProcess$CreateMemoryOpenRemoteThreadWritememcpy
String ID: 47.238.215.73$:$@$Inject Test
API String ID: 1625309433-4199450184
Opcode ID: 5566dcc5605b0a6cd22809c0907e2384aa0d6f53cf907175bde78d5295b26e8a
Instruction ID: ce7714fc1addc868f3655dfcc7bd7b54af66992aace184226b0870f7025adee0
Opcode Fuzzy Hash: 5566dcc5605b0a6cd22809c0907e2384aa0d6f53cf907175bde78d5295b26e8a
Instruction Fuzzy Hash: 60F1D522B26FC086E7A0DF35DC287A9B365FB89B8DF009214DE4916A55FF3886C5C705

Function 00000254A3919A70 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 204stringsleeplibraryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A3919AB5
memset.NTDLL ref: 00000254A3919AC9
VirtualFree.KERNEL32 ref: 00000254A3919B00
VirtualFree.KERNEL32 ref: 00000254A3919B42
GetModuleHandleW.KERNEL32 ref: 00000254A3919B4F
GetProcAddress.KERNEL32 ref: 00000254A3919B6B
GetProcAddress.KERNEL32 ref: 00000254A3919B7E
GetCurrentProcess.KERNEL32 ref: 00000254A3919B95
OpenProcessToken.ADVAPI32 ref: 00000254A3919BA8
LookupPrivilegeValueW.ADVAPI32 ref: 00000254A3919BD0
AdjustTokenPrivileges.ADVAPI32 ref: 00000254A3919BF2
GetLastError.KERNEL32 ref: 00000254A3919BF8
CloseHandle.KERNEL32 ref: 00000254A3919C0C
OpenProcess.KERNEL32 ref: 00000254A3919C20
K32EnumProcessModules.KERNEL32 ref: 00000254A3919C3E
K32GetProcessImageFileNameW.KERNEL32 ref: 00000254A3919C51
GetLogicalDriveStringsW.KERNEL32 ref: 00000254A3919C73
QueryDosDeviceW.KERNEL32 ref: 00000254A3919CC3
lstrlenW.KERNEL32 ref: 00000254A3919CD2
wcsncmp.NTDLL ref: 00000254A3919CE7
lstrcpyW.KERNEL32 ref: 00000254A3919D1B
TerminateProcess.KERNEL32 ref: 00000254A3919D51
Sleep.KERNEL32 ref: 00000254A3919D60
DeleteFileW.KERNEL32 ref: 00000254A3919D6D
lstrcpyW.KERNEL32 ref: 00000254A3919D81
lstrcatW.KERNEL32 ref: 00000254A3919D96
CloseHandle.KERNEL32 ref: 00000254A3919DC1
Sleep.KERNEL32 ref: 00000254A3919DCC

Strings

NtResumeProcess, xrefs: 00000254A3919B71
ntdll.dll, xrefs: 00000254A3919B48
NtSuspendProcess, xrefs: 00000254A3919B61
SeDebugPrivilege, xrefs: 00000254A3919BBF

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Process$Handle$AddressCloseFileFreeOpenProcSleepTokenVirtuallstrcpymemset$AdjustCurrentDeleteDeviceDriveEnumErrorImageLastLogicalLookupModuleModulesNamePrivilegePrivilegesQueryStringsTerminateValuelstrcatlstrlenwcsncmp
String ID: NtResumeProcess$NtSuspendProcess$SeDebugPrivilege$ntdll.dll
API String ID: 335747669-263106891
Opcode ID: 0323485f620a88985792f302705c0bf60f5310987a287480cf63306c896622fa
Instruction ID: c7802b8e57ad430ab837673ad16a755bd9b561c188d7ea3d62d220e816e674ba
Opcode Fuzzy Hash: 0323485f620a88985792f302705c0bf60f5310987a287480cf63306c896622fa
Instruction Fuzzy Hash: 21A1E736365E8183EBE0EF21EC68399A768FB88B4EF404115D94A57698FF38C5C9C744

Function 00000254A3905150 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 248stringfilethreadCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A3905186
wsprintfW.USER32 ref: 00000254A39051A5
CreateFileW.KERNEL32 ref: 00000254A39051E3
GetFileSize.KERNEL32 ref: 00000254A39051FA
ReadFile.KERNEL32 ref: 00000254A3905221
CloseHandle.KERNEL32 ref: 00000254A39052AF
SetThreadExecutionState.KERNEL32 ref: 00000254A39052C5
SystemParametersInfoW.USER32 ref: 00000254A39052D6
SystemParametersInfoW.USER32 ref: 00000254A39052E7
lstrlenW.KERNEL32 ref: 00000254A3905326
lstrlenA.KERNEL32 ref: 00000254A390533B
lstrcmpiW.KERNEL32 ref: 00000254A3905353
lstrcmpiW.KERNEL32 ref: 00000254A3905375
lstrcmpiW.KERNEL32 ref: 00000254A3905396
htons.WS2_32 ref: 00000254A39053CE
VirtualFree.KERNEL32 ref: 00000254A39053F7
VirtualAlloc.KERNEL32 ref: 00000254A3905450
CreateThread.KERNEL32 ref: 00000254A39054A0
VirtualFree.KERNEL32 ref: 00000254A39054DA
VirtualFree.KERNEL32 ref: 00000254A3905504
VirtualFree.KERNEL32 ref: 00000254A390551C
WaitForSingleObject.KERNEL32 ref: 00000254A390554A

Strings

UDP, xrefs: 00000254A390534C
C:\Program Files\Windows Mail, xrefs: 00000254A3905192
HTTP, xrefs: 00000254A390538F
install.cfg, xrefs: 00000254A390518B
47.238.215.73, xrefs: 00000254A39051B0
TCP, xrefs: 00000254A390536E
%s\%s, xrefs: 00000254A3905199

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$Filelstrcmpi$CreateInfoParametersSystemThreadlstrlen$AllocCloseExecutionHandleObjectReadSingleSizeStateWaithtonsmemsetwsprintf
String ID: %s\%s$47.238.215.73$C:\Program Files\Windows Mail$HTTP$TCP$UDP$install.cfg
API String ID: 1274318034-1015678215
Opcode ID: 663568433656cea89e63caccbc2b97e320fd9943314f34955629d2a210d6f6f0
Instruction ID: 186702271ba62fd707efaaf5d2ce05ef6839e398ceb70cf835ec087de76150bf
Opcode Fuzzy Hash: 663568433656cea89e63caccbc2b97e320fd9943314f34955629d2a210d6f6f0
Instruction Fuzzy Hash: D2B17B61665E4087FB94AF22EC69759B7A9FB89B8EF044125CD4A43790FF38C4C9C708

Function 00000254A391F890 Relevance: 50.0, APIs: 33, Instructions: 451servicestringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

OpenSCManagerW.ADVAPI32 ref: 00000254A391F8DA
EnumServicesStatusW.ADVAPI32 ref: 00000254A391F91C
LocalAlloc.KERNEL32 ref: 00000254A391F92D
EnumServicesStatusW.ADVAPI32 ref: 00000254A391F986
memset.NTDLL ref: 00000254A391F9AC
OpenServiceW.ADVAPI32 ref: 00000254A391F9C9
lstrlenW.KERNEL32 ref: 00000254A391F9E0
memcpy.NTDLL ref: 00000254A391FA85
lstrlenW.KERNEL32 ref: 00000254A391FA8F
memcpy.NTDLL ref: 00000254A391FB12
VirtualAlloc.KERNEL32 ref: 00000254A391FB28
QueryServiceConfig2W.ADVAPI32 ref: 00000254A391FB57
lstrlenW.KERNEL32 ref: 00000254A391FB69
memcpy.NTDLL ref: 00000254A391FBEF
CloseServiceHandle.ADVAPI32 ref: 00000254A391FF40
LocalFree.KERNEL32 ref: 00000254A391FF49
VirtualFree.KERNEL32 ref: 00000254A391FFF5
VirtualFree.KERNEL32 ref: 00000254A392001F
VirtualFree.KERNEL32 ref: 00000254A3920035
VirtualFree.KERNEL32 ref: 00000254A392005F

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$CriticalSection$Free$EnterReadServicelstrlenmemcpy$EnumLeaveLocalOpenServicesStatus$CloseConfig2HandleInitializeManagerQuerymemset
String ID:
API String ID: 1976463032-0
Opcode ID: e31869551b353607aec46271203f30b5e22ed9872d805ff8829a815e3cabd60d
Instruction ID: e4da9db2bf18e4446ee34eeb90d7b456bbe93c6bebaf08adae711dc8029d6e94
Opcode Fuzzy Hash: e31869551b353607aec46271203f30b5e22ed9872d805ff8829a815e3cabd60d
Instruction Fuzzy Hash: 46328C62B25FC482E791DF29D9583AC7364F799B8DF14A215DF8916A12FF34A2D8C300

Function 00000254A3949E90 Relevance: 49.4, APIs: 14, Strings: 14, Instructions: 427networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3946480: memcpy.NTDLL(?,?,Unable to connect,00000254A3949EE8), ref: 00000254A3946573
Part of subcall function 00000254A3946480: memcpy.NTDLL(?,?,Unable to connect,00000254A3949EE8), ref: 00000254A3946591

Part of subcall function 00000254A394F0A0: memcpy.NTDLL(?,?,?,?,?,?,?,?,Unable to connect,00000254A3949EF3), ref: 00000254A394F0F8

freeaddrinfo.WS2_32 ref: 00000254A3949EF6
connect.WS2_32 ref: 00000254A3949FF7
WSAGetLastError.WS2_32 ref: 00000254A394A005
WSAGetLastError.WS2_32 ref: 00000254A394A050
strncpy.MSVCRT ref: 00000254A394A0A9
htons.WS2_32 ref: 00000254A394A102
socket.WS2_32 ref: 00000254A394A179
WSAGetLastError.WS2_32 ref: 00000254A394A18B
WSAGetLastError.WS2_32 ref: 00000254A394A1D6
closesocket.WS2_32 ref: 00000254A394A4B3
getsockname.WS2_32 ref: 00000254A394A57F

Strings

conn fail: insert fd, xrefs: 00000254A394A26D
RAW, xrefs: 00000254A3949E97
conn fail: skt creation: errno %d, xrefs: 00000254A394A191
conn fail: skt options: errno %d, xrefs: 00000254A394A1DC
conn fail: change pollfd, xrefs: 00000254A394A28A
conn fail: socket bind, xrefs: 00000254A394A31D
POST, xrefs: 00000254A3949E95
client_connect3, xrefs: 00000254A394A4FA
waiting for event loop watcher to close, xrefs: 00000254A394A52B
conn fail: %d, xrefs: 00000254A394A056
lws_free, xrefs: 00000254A394A0E7
conn fail: sock accept, xrefs: 00000254A394A23A
Unable to connect, xrefs: 00000254A3949EAE, 00000254A394A367, 00000254A394A42F, 00000254A394A441, 00000254A394A489
GET, xrefs: 00000254A3949E99

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorLast$memcpy$closesocketconnectfreeaddrinfogetsocknamehtonssocketstrncpy
String ID: GET$POST$RAW$Unable to connect$client_connect3$conn fail: %d$conn fail: change pollfd$conn fail: insert fd$conn fail: skt creation: errno %d$conn fail: skt options: errno %d$conn fail: sock accept$conn fail: socket bind$lws_free$waiting for event loop watcher to close
API String ID: 3000816023-458479724
Opcode ID: 45b74619e095686916e0e6cf39154984f1e692daa841b6c70865dabd898a1b92
Instruction ID: 471907f8a0d7bc6848f0d3eb4b810c57ba5afcb5b362b76d7a39216ff5468862
Opcode Fuzzy Hash: 45b74619e095686916e0e6cf39154984f1e692daa841b6c70865dabd898a1b92
Instruction Fuzzy Hash: 4C128F626A4F8183EBD4EF21DC683EDA3A8E744B8DF4451369E0957699EF38C5C5C308

Function 00000254A3908780 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 274memoryfilestringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A3908798
lstrcatW.KERNEL32 ref: 00000254A39087A9
lstrcatW.KERNEL32 ref: 00000254A39087BB
CreateFileW.KERNEL32 ref: 00000254A39087F3
GetFileSize.KERNEL32 ref: 00000254A390881B
VirtualAlloc.KERNEL32 ref: 00000254A3908832
ReadFile.KERNEL32 ref: 00000254A390885A
VirtualFree.KERNEL32 ref: 00000254A390894C
VirtualAlloc.KERNEL32 ref: 00000254A39089A8
VirtualAlloc.KERNEL32 ref: 00000254A3908A10
IsBadReadPtr.KERNEL32 ref: 00000254A3908A5A
EnterCriticalSection.KERNEL32 ref: 00000254A3908A70
LeaveCriticalSection.KERNEL32 ref: 00000254A3908A95
IsBadReadPtr.KERNEL32 ref: 00000254A3908AAA
EnterCriticalSection.KERNEL32 ref: 00000254A3908ABD
VirtualAlloc.KERNEL32 ref: 00000254A3908AD4
LeaveCriticalSection.KERNEL32 ref: 00000254A3908AF8
VirtualFree.KERNEL32 ref: 00000254A3908B3D
VirtualFree.KERNEL32 ref: 00000254A3908B67
LeaveCriticalSection.KERNEL32 ref: 00000254A3908B7A
IsBadReadPtr.KERNEL32 ref: 00000254A3908B99
EnterCriticalSection.KERNEL32 ref: 00000254A3908BB4
GetLastError.KERNEL32 ref: 00000254A3908BE2
CloseHandle.KERNEL32 ref: 00000254A3908C00

Strings

C:\Program Files\Windows Mail, xrefs: 00000254A390879D
@, xrefs: 00000254A390887B
\cp.cfg, xrefs: 00000254A39087AF

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$AllocRead$EnterFileFreeLeave$lstrcat$CloseCreateErrorHandleLastSizememset
String ID: @$C:\Program Files\Windows Mail$\cp.cfg
API String ID: 1502650097-1776503346
Opcode ID: 03e5816f0febf9f2516ba56efb62d54b0cca26d4fb6bcd281216f8244b78d330
Instruction ID: 8e8153a7ea0554359e12e44b0a58ed825c4a5ad91fc1fe2f027f53dbbd07c14e
Opcode Fuzzy Hash: 03e5816f0febf9f2516ba56efb62d54b0cca26d4fb6bcd281216f8244b78d330
Instruction Fuzzy Hash: 63C1A821369E8083FB94AF25D868369A798F78AB8EF444115CE5543F94FF38C495C709

Function 00000254A39099F0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 175stringclipboardmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000254A3909A3A
WideCharToMultiByte.KERNEL32 ref: 00000254A3909A66
VirtualAlloc.KERNEL32 ref: 00000254A3909A89
lstrlenW.KERNEL32 ref: 00000254A3909A9E

Part of subcall function 00000254A391C8D0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,00000254A3910EBE), ref: 00000254A391C907
Part of subcall function 00000254A391C8D0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,00000254A3910EBE), ref: 00000254A391C92F

lstrlenW.KERNEL32 ref: 00000254A3909B1F
WideCharToMultiByte.KERNEL32 ref: 00000254A3909B48
VirtualAlloc.KERNEL32 ref: 00000254A3909B5D
lstrlenW.KERNEL32 ref: 00000254A3909B76
WideCharToMultiByte.KERNEL32 ref: 00000254A3909BA2
WideCharToMultiByte.KERNEL32 ref: 00000254A3909BC9
lstrlenA.KERNEL32 ref: 00000254A3909BD2
memcpy.NTDLL ref: 00000254A3909BE4
OpenClipboard.USER32 ref: 00000254A3909BEB
EmptyClipboard.USER32 ref: 00000254A3909BF5
lstrlenA.KERNEL32 ref: 00000254A3909BFE
GlobalAlloc.KERNEL32 ref: 00000254A3909C0E
GlobalLock.KERNEL32 ref: 00000254A3909C23
lstrlenA.KERNEL32 ref: 00000254A3909C34
memcpy.NTDLL ref: 00000254A3909C43
GlobalUnlock.KERNEL32 ref: 00000254A3909C4F
SetClipboardData.USER32 ref: 00000254A3909C5D
CloseClipboard.USER32 ref: 00000254A3909C63
VirtualFree.KERNEL32 ref: 00000254A3909C74
VirtualFree.KERNEL32 ref: 00000254A3909C85

Strings

!, xrefs: 00000254A3909AD6

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: lstrlen$ByteCharMultiWide$ClipboardVirtual$AllocGlobal$Freememcpy$CloseDataEmptyLockOpenUnlock
String ID: !
API String ID: 17242508-2657877971
Opcode ID: d0d0cce1298095d55bda04961aa882279e2f81b3c830c1949f663db54f22f3fc
Instruction ID: 35ad12bd4319fc0a3513727ae27c8f70dcfc72bc960bfc1f6f5f8eeed9fb36fb
Opcode Fuzzy Hash: d0d0cce1298095d55bda04961aa882279e2f81b3c830c1949f663db54f22f3fc
Instruction Fuzzy Hash: 4D717F71765F4083FB94AF22AC68359B6A9FB8DB8EF444024D94A527A4EF3CC4C58709

Function 00000254A390E210 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 199stringfilesleepCOMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 00000254A390E23C
memset.NTDLL ref: 00000254A390E264
memset.NTDLL ref: 00000254A390E278
lstrcatW.KERNEL32 ref: 00000254A390E287
lstrcatW.KERNEL32 ref: 00000254A390E29B
FindFirstFileW.KERNEL32 ref: 00000254A390E2E6
FindNextFileW.KERNEL32 ref: 00000254A390E305
memset.NTDLL ref: 00000254A390E352
lstrcatW.KERNEL32 ref: 00000254A390E361
lstrcatW.KERNEL32 ref: 00000254A390E372
lstrcatW.KERNEL32 ref: 00000254A390E386
Sleep.KERNEL32 ref: 00000254A390E391
lstrlenW.KERNEL32 ref: 00000254A390E39E
wcsstr.NTDLL ref: 00000254A390E3D0
GetCurrentThread.KERNEL32 ref: 00000254A390E41F
IsBadReadPtr.KERNEL32 ref: 00000254A390E430
EnterCriticalSection.KERNEL32 ref: 00000254A390E443
LeaveCriticalSection.KERNEL32 ref: 00000254A390E464
FindNextFileW.KERNEL32 ref: 00000254A390E4AE
LeaveCriticalSection.KERNEL32 ref: 00000254A390E4C2
WaitForSingleObject.KERNEL32 ref: 00000254A390E4D5
VirtualFree.KERNEL32 ref: 00000254A390E4EF
VirtualFree.KERNEL32 ref: 00000254A390E51F

Strings

*.*, xrefs: 00000254A390E28D

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: lstrcat$CriticalFileFindSectionmemset$FreeLeaveNextVirtual$CurrentEnterFirstObjectReadSingleSleepThreadWait__chkstklstrlenwcsstr
String ID: *.*
API String ID: 491004167-438819550
Opcode ID: b29965504f393d0c0be59b7089e5a45caf17d60b96d961a43351eaaa3ebd01c0
Instruction ID: 06fae73c0711a28e7cfc3e0e166c1dcbf81c988c6fa03b2a9214a7328462b25d
Opcode Fuzzy Hash: b29965504f393d0c0be59b7089e5a45caf17d60b96d961a43351eaaa3ebd01c0
Instruction Fuzzy Hash: D891A322765E4087EBA0EF21EC68399B7A8F749B8EF444025DE0947A94FF38C589C705

Function 00000254A3908230 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 320memoryfilestringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A390838D
lstrcatW.KERNEL32 ref: 00000254A39083A1
lstrcatW.KERNEL32 ref: 00000254A39083B6
CreateFileW.KERNEL32 ref: 00000254A39083ED
SetFilePointer.KERNEL32 ref: 00000254A3908409
WriteFile.KERNEL32 ref: 00000254A3908427
CloseHandle.KERNEL32 ref: 00000254A3908430
VirtualAlloc.KERNEL32 ref: 00000254A390853B
VirtualAlloc.KERNEL32 ref: 00000254A39085A3
IsBadReadPtr.KERNEL32 ref: 00000254A39085ED
EnterCriticalSection.KERNEL32 ref: 00000254A3908603
LeaveCriticalSection.KERNEL32 ref: 00000254A3908626
IsBadReadPtr.KERNEL32 ref: 00000254A390863B
EnterCriticalSection.KERNEL32 ref: 00000254A390864E
VirtualAlloc.KERNEL32 ref: 00000254A3908665
LeaveCriticalSection.KERNEL32 ref: 00000254A3908689
VirtualFree.KERNEL32 ref: 00000254A390869F
VirtualFree.KERNEL32 ref: 00000254A39086C9
LeaveCriticalSection.KERNEL32 ref: 00000254A3908705
IsBadReadPtr.KERNEL32 ref: 00000254A3908724
EnterCriticalSection.KERNEL32 ref: 00000254A390873F

Strings

C:\Program Files\Windows Mail, xrefs: 00000254A3908392
\cp.cfg, xrefs: 00000254A39083A7

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$AllocEnterFileLeaveRead$Freelstrcat$CloseCreateHandlePointerWritememset
String ID: C:\Program Files\Windows Mail$\cp.cfg
API String ID: 1370748441-3904790782
Opcode ID: 6ecfbc1e04c89c64a0ee336d11aee912bcb92c8e0a2a77cad56ae9ff53fce122
Instruction ID: 7ce8a1361ac36bc1f614a95daecb59d95a6e4db3ee3e04281c528b2a3fdba001
Opcode Fuzzy Hash: 6ecfbc1e04c89c64a0ee336d11aee912bcb92c8e0a2a77cad56ae9ff53fce122
Instruction Fuzzy Hash: 07E1D332765F8083FB95AF24E86836DA768FB8AB8DF558215CA4903B54FF38C485C705

Function 00000254A3909190 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 195sleepmemorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A39091E0
VirtualFree.KERNEL32 ref: 00000254A390920A
memset.NTDLL ref: 00000254A3909256
VirtualFree.KERNEL32 ref: 00000254A390928A
VirtualFree.KERNEL32 ref: 00000254A39092B4
malloc.MSVCRT ref: 00000254A39092BF
wsprintfA.USER32 ref: 00000254A39092E5
CreateMutexA.KERNEL32 ref: 00000254A39092F2
GetLastError.KERNEL32 ref: 00000254A39092FD
free.MSVCRT ref: 00000254A390930D
lstrcatW.KERNEL32 ref: 00000254A3909327
VirtualAlloc.KERNEL32 ref: 00000254A39093CA
memcpy.NTDLL ref: 00000254A39093F4
memcpy.NTDLL ref: 00000254A390940E
Sleep.KERNEL32 ref: 00000254A3909418
GetCurrentProcessId.KERNEL32 ref: 00000254A3909426
VirtualFree.KERNEL32 ref: 00000254A390945A
VirtualFree.KERNEL32 ref: 00000254A3909475
VirtualFree.KERNEL32 ref: 00000254A390949F

Strings

:, xrefs: 00000254A39093A0
Inject Test, xrefs: 00000254A3909318
%s%d, xrefs: 00000254A39092DB

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$AllocCriticalSection$EnterRead$Leavememcpy$CreateCurrentErrorInitializeLastMutexProcessSleepfreelstrcatmallocmemsetwsprintf
String ID: %s%d$:$Inject Test
API String ID: 3230380526-1060902658
Opcode ID: 8dbd244c4dc7ff5931541ce9d241f2be0e44287da5020331176b23af610f2178
Instruction ID: 605ca5a03475a67557f4f104d6b2d6e2996c5fb0280ef6154f234cb2ff30b945
Opcode Fuzzy Hash: 8dbd244c4dc7ff5931541ce9d241f2be0e44287da5020331176b23af610f2178
Instruction Fuzzy Hash: FC919021765F4083FB94AF26E828769B365FB8AF8DF448124DA8A02758EF3CC485C705

Function 00000254A3909EC0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 152stringmemorythreadCOMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 00000254A3909ED2
MultiByteToWideChar.KERNEL32 ref: 00000254A390A10E
MultiByteToWideChar.KERNEL32 ref: 00000254A390A12E
lstrlenW.KERNEL32 ref: 00000254A390A137

Part of subcall function 00000254A390A190: WriteFile.KERNEL32 ref: 00000254A390A3BA
Part of subcall function 00000254A390A190: VirtualFree.KERNEL32 ref: 00000254A390A3CB
Part of subcall function 00000254A390A190: SetFileAttributesW.KERNEL32 ref: 00000254A390A3DB
Part of subcall function 00000254A390A190: CloseHandle.KERNEL32 ref: 00000254A390A3E9

lstrlenW.KERNEL32 ref: 00000254A3909EEB

Part of subcall function 00000254A390A190: GetTickCount.KERNEL32 ref: 00000254A390A1AB
Part of subcall function 00000254A390A190: memset.NTDLL ref: 00000254A390A1C4
Part of subcall function 00000254A390A190: lstrcatW.KERNEL32 ref: 00000254A390A1D5
Part of subcall function 00000254A390A190: lstrcatW.KERNEL32 ref: 00000254A390A1E7
Part of subcall function 00000254A390A190: CreateFileW.KERNEL32 ref: 00000254A390A21E
Part of subcall function 00000254A390A190: CreateFileW.KERNEL32 ref: 00000254A390A253
Part of subcall function 00000254A390A190: SetFilePointer.KERNEL32 ref: 00000254A390A268
Part of subcall function 00000254A390A190: WriteFile.KERNEL32 ref: 00000254A390A297
Part of subcall function 00000254A390A190: SetFileAttributesW.KERNEL32 ref: 00000254A390A2A6
Part of subcall function 00000254A390A190: SetFilePointer.KERNEL32 ref: 00000254A390A2BA
Part of subcall function 00000254A390A190: VirtualAlloc.KERNEL32 ref: 00000254A390A2CF

memset.NTDLL ref: 00000254A3909F13
memset.NTDLL ref: 00000254A3909F33
GetForegroundWindow.USER32 ref: 00000254A3909F38
GetWindowTextW.USER32 ref: 00000254A3909F53
GetWindowThreadProcessId.USER32 ref: 00000254A3909F67
ProcessIdToSessionId.KERNEL32 ref: 00000254A3909F90
memset.NTDLL ref: 00000254A3909FA5
lstrlenW.KERNEL32 ref: 00000254A3909FC3
GetLocalTime.KERNEL32 ref: 00000254A3909FD6
wsprintfW.USER32 ref: 00000254A390A03E
lstrlenW.KERNEL32 ref: 00000254A390A04B
lstrlenA.KERNEL32 ref: 00000254A390A091
MultiByteToWideChar.KERNEL32 ref: 00000254A390A0AA
VirtualAlloc.KERNEL32 ref: 00000254A390A0D6
lstrlenA.KERNEL32 ref: 00000254A390A0F3

Strings

[PROCESS:]%s[USERID:]%d[TITLE:]%s[TIME:]%d-%d-%d %d:%d:%d, xrefs: 00000254A390A015
[Keyboard recording content:], xrefs: 00000254A3909EE4, 00000254A3909EF1

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: File$lstrlen$memset$ByteCharMultiVirtualWideWindow$AllocAttributesCreatePointerProcessWritelstrcat$CloseCountForegroundFreeHandleLocalSessionTextThreadTickTime__chkstkwsprintf
String ID: [Keyboard recording content:]$[PROCESS:]%s[USERID:]%d[TITLE:]%s[TIME:]%d-%d-%d %d:%d:%d
API String ID: 599969897-1868071797
Opcode ID: f17e409ea88a83495190c95706f18a929b1a90729d272230387f25703c5392a2
Instruction ID: e6f81a7dfb146b47f40ed4b859f9fc8ec1ee6d421275fe7f1a6c6ee7fba061f6
Opcode Fuzzy Hash: f17e409ea88a83495190c95706f18a929b1a90729d272230387f25703c5392a2
Instruction Fuzzy Hash: D9719231668E4087E7A0EF25EC683D9B7A9F789B8EF004115D94D46A64FF38C589CB44

Function 00000254A391B2D0 Relevance: 37.9, APIs: 25, Instructions: 372registryCOMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 00000254A391B2E8
memset.NTDLL ref: 00000254A391B30D
memset.NTDLL ref: 00000254A391B321

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A391B3B6
VirtualFree.KERNEL32 ref: 00000254A391B3E0
RegOpenKeyExW.ADVAPI32 ref: 00000254A391B41A
VirtualFree.KERNEL32 ref: 00000254A391B45C
VirtualFree.KERNEL32 ref: 00000254A391B486
memset.NTDLL ref: 00000254A391B49D
RegEnumKeyExW.ADVAPI32 ref: 00000254A391B4D2
memset.NTDLL ref: 00000254A391B528
RegEnumKeyExW.ADVAPI32 ref: 00000254A391B55D
memset.NTDLL ref: 00000254A391B586
memset.NTDLL ref: 00000254A391B59A
RegEnumValueW.ADVAPI32 ref: 00000254A391B5F5
memset.NTDLL ref: 00000254A391B696
memset.NTDLL ref: 00000254A391B6AA
RegEnumValueW.ADVAPI32 ref: 00000254A391B705
RegCloseKey.ADVAPI32 ref: 00000254A391B718
VirtualFree.KERNEL32 ref: 00000254A391B815
VirtualFree.KERNEL32 ref: 00000254A391B83F
VirtualFree.KERNEL32 ref: 00000254A391B855
VirtualFree.KERNEL32 ref: 00000254A391B87F
VirtualFree.KERNEL32 ref: 00000254A391B895
VirtualFree.KERNEL32 ref: 00000254A391B8BF

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$memset$CriticalSection$Alloc$Enum$EnterRead$LeaveValue$CloseInitializeOpen__chkstk
String ID:
API String ID: 2734444383-0
Opcode ID: 0595414e30b50002a461e2897ac5610cd8ac295fcac56b89b3caa5011188017e
Instruction ID: 1ef1b76e244fa220e6db7db8c51f1793c210d3dffb97c9c4a6a48e1d67ff9358
Opcode Fuzzy Hash: 0595414e30b50002a461e2897ac5610cd8ac295fcac56b89b3caa5011188017e
Instruction Fuzzy Hash: C0F17F32311E4187EBB4DF62D8A8A9DB7A5FB89B89F404014DF5A47B58EF38C195CB04

Function 00000254A3924FA0 Relevance: 37.7, APIs: 25, Instructions: 205memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A3924FB7
VirtualAlloc.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A3924FF6
memset.NTDLL ref: 00000254A3925015
CreateEventW.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A392502C
CreateEventW.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A3925041
InitializeCriticalSection.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A3925053
VirtualAlloc.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A3925145
InitializeCriticalSection.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A3925157
InitializeCriticalSection.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A392516C
IsBadReadPtr.KERNEL32 ref: 00000254A392517E
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A3925191
VirtualAlloc.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A39251A8
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A39251D7
IsBadReadPtr.KERNEL32 ref: 00000254A39251E9
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A39251FC
VirtualAlloc.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A3925213
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A3925242
IsBadReadPtr.KERNEL32 ref: 00000254A3925254
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A3925267
VirtualAlloc.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A392527E
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A39252AD
IsBadReadPtr.KERNEL32 ref: 00000254A39252BF
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A39252D2
VirtualAlloc.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A39252E9
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A3904AAC), ref: 00000254A3925318

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$AllocVirtual$EnterLeaveRead$Initialize$CreateEvent$memset
String ID:
API String ID: 1099351009-0
Opcode ID: 4c432805fc150b9a5a3aab3c4a807d14a13fc8452305bb2b73dd0958c01303ba
Instruction ID: de3b2f780cf9b1ac4f6faa2c22419961ba945feeed81db92ee4e65fdd2516977
Opcode Fuzzy Hash: 4c432805fc150b9a5a3aab3c4a807d14a13fc8452305bb2b73dd0958c01303ba
Instruction Fuzzy Hash: D5B13B31361F4093E785EF20E968399B7A8F748B8AF808525CA5947B54EF38D5E8C345

Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211servicestringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00000001800015E5
memcpy.NTDLL ref: 0000000180001609
malloc.MSVCRT ref: 0000000180001613
memset.NTDLL ref: 0000000180001648
memset.NTDLL ref: 00000001800016A8
GetModuleFileNameW.KERNEL32 ref: 00000001800016BA
malloc.MSVCRT ref: 00000001800016CD
memset.NTDLL ref: 00000001800016E7
memcpy.NTDLL ref: 00000001800016F5
OpenSCManagerW.ADVAPI32 ref: 0000000180001789
EnumServicesStatusExW.ADVAPI32 ref: 00000001800017D0
malloc.MSVCRT ref: 00000001800017E2
memset.NTDLL ref: 00000001800017FC
EnumServicesStatusExW.ADVAPI32 ref: 0000000180001838
CloseServiceHandle.ADVAPI32 ref: 0000000180001845
free.MSVCRT ref: 000000018000184E
CloseServiceHandle.ADVAPI32 ref: 0000000180001856
lstrcmpiW.KERNEL32 ref: 0000000180001881

Strings

Schedule, xrefs: 0000000180001872

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
String ID: Schedule
API String ID: 3636854120-2739827629
Opcode ID: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
Instruction ID: 6ee3f7f16e62e9fbbf62cb728b63543f6f6100922e48a7ada6915e3d38cfd098
Opcode Fuzzy Hash: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
Instruction Fuzzy Hash: 84A1AE36705B8886EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700

Function 00000254A3920810 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 186pipeprocessstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A3920862
CreatePipe.KERNEL32 ref: 00000254A392088A
CloseHandle.KERNEL32 ref: 00000254A392089C
CloseHandle.KERNEL32 ref: 00000254A39208AE
VirtualFree.KERNEL32 ref: 00000254A39208C8
VirtualFree.KERNEL32 ref: 00000254A39208F2
CreatePipe.KERNEL32 ref: 00000254A3920913
CloseHandle.KERNEL32 ref: 00000254A3920926
CloseHandle.KERNEL32 ref: 00000254A392093D
GetStartupInfoW.KERNEL32 ref: 00000254A392097B
lstrcatW.KERNEL32 ref: 00000254A39209B7
VirtualFree.KERNEL32 ref: 00000254A39209CD
VirtualFree.KERNEL32 ref: 00000254A39209F7
CreateProcessW.KERNEL32 ref: 00000254A3920A36
CloseHandle.KERNEL32 ref: 00000254A3920A48
CloseHandle.KERNEL32 ref: 00000254A3920A5A
CloseHandle.KERNEL32 ref: 00000254A3920A6D
CloseHandle.KERNEL32 ref: 00000254A3920A84
CreateThread.KERNEL32 ref: 00000254A3920AC0

Strings

, xrefs: 00000254A3920A26

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CloseHandle$CreateFreeVirtual$Pipe$InfoProcessStartupThreadlstrcatmemset
String ID:
API String ID: 3234776578-3916222277
Opcode ID: 92ec81b901bfc6f2a5663ab9ca78efc14cc9e06966c3134a046e798205adb50d
Instruction ID: 9fcf862e79ca201ecfd5e381b80d90cb160c839c8f96a629df7e8d53cbb44132
Opcode Fuzzy Hash: 92ec81b901bfc6f2a5663ab9ca78efc14cc9e06966c3134a046e798205adb50d
Instruction Fuzzy Hash: C9912A36655F4086EB94DF62E96836EB7A8FB88B4DF044115DE4A43B14EF38C1E8C348

Function 00000254A390EFC0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 179fileprocessmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A390EFED
GetWindowsDirectoryW.KERNEL32 ref: 00000254A390EFFA
GetLastError.KERNEL32 ref: 00000254A390F004
lstrcatW.KERNEL32 ref: 00000254A390F01D
CreateFileW.KERNEL32 ref: 00000254A390F09C
GetLastError.KERNEL32 ref: 00000254A390F0AB
WriteFile.KERNEL32 ref: 00000254A390F0C8
GetLastError.KERNEL32 ref: 00000254A390F0D2
CloseHandle.KERNEL32 ref: 00000254A390F0E0
memset.NTDLL ref: 00000254A390F108
memset.NTDLL ref: 00000254A390F178
VirtualAlloc.KERNEL32 ref: 00000254A390F1DF
wsprintfW.USER32 ref: 00000254A390F209
CreateProcessW.KERNEL32 ref: 00000254A390F285
CloseHandle.KERNEL32 ref: 00000254A390F295
CloseHandle.KERNEL32 ref: 00000254A390F2AA
VirtualFree.KERNEL32 ref: 00000254A390F2C0

Strings

\rar.exe, xrefs: 00000254A390F00A
h, xrefs: 00000254A390F274
rar.exe x "%s" "%s", xrefs: 00000254A390F202

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CloseErrorHandleLastmemset$CreateFileVirtual$AllocDirectoryFreeProcessWindowsWritelstrcatwsprintf
String ID: \rar.exe$h$rar.exe x "%s" "%s"
API String ID: 2158214755-1420003661
Opcode ID: fbf86ac99dbef88f820f1243c357f17008eabb307d09fe21cb03ae58ae84416a
Instruction ID: 3c03614776bd62697c690d05e34dbe868f229c960c577e343d3ae65766c20dd5
Opcode Fuzzy Hash: fbf86ac99dbef88f820f1243c357f17008eabb307d09fe21cb03ae58ae84416a
Instruction Fuzzy Hash: B4818D32764B9087E760DF61EC5839DA7A5F789B8DF001225CE4A47A58EF39C288CB04

Function 00000254A3906F60 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 174memoryprocessstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

Part of subcall function 00000254A3906C70: memcpy.NTDLL ref: 00000254A3906C8E
Part of subcall function 00000254A3906C70: memset.NTDLL ref: 00000254A3906CA0
Part of subcall function 00000254A3906C70: lstrcatA.KERNEL32 ref: 00000254A3906CC0
Part of subcall function 00000254A3906C70: lstrcatW.KERNEL32 ref: 00000254A3906CF4

GetCurrentProcessId.KERNEL32 ref: 00000254A3906FDB
ProcessIdToSessionId.KERNEL32 ref: 00000254A3906FEB
CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A3907014
GetProcessHeap.KERNEL32 ref: 00000254A3907023
HeapAlloc.KERNEL32 ref: 00000254A3907036
CloseHandle.KERNEL32 ref: 00000254A3907047
WTSGetActiveConsoleSessionId.KERNEL32 ref: 00000254A3907056
Process32FirstW.KERNEL32 ref: 00000254A3907084
lstrcmpiW.KERNEL32 ref: 00000254A39070AB
Process32NextW.KERNEL32 ref: 00000254A39070BB
GetProcessHeap.KERNEL32 ref: 00000254A39070D3
HeapFree.KERNEL32 ref: 00000254A39070E1
CloseHandle.KERNEL32 ref: 00000254A39070EA
ProcessIdToSessionId.KERNEL32 ref: 00000254A3907104
CreateThread.KERNEL32 ref: 00000254A3907127
VirtualFree.KERNEL32 ref: 00000254A39071B6
VirtualFree.KERNEL32 ref: 00000254A39071E0
VirtualFree.KERNEL32 ref: 00000254A39071FB
VirtualFree.KERNEL32 ref: 00000254A3907225

Strings

explorer.exe, xrefs: 00000254A39070A4

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$FreeProcess$Heap$EnterReadSession$CloseCreateHandleLeaveProcess32lstrcat$ActiveConsoleCurrentFirstInitializeNextSnapshotThreadToolhelp32lstrcmpimemcpymemset
String ID: explorer.exe
API String ID: 1072794995-3187896405
Opcode ID: 3a93d8f6808cd038349fc4e197abe7e334fd4ca4ae3e3deed15c5e30cb85c88f
Instruction ID: 9627337afd659740a8349ce6d0af347cb06b14dbcd8fe6b4e6e716ea521fb8a6
Opcode Fuzzy Hash: 3a93d8f6808cd038349fc4e197abe7e334fd4ca4ae3e3deed15c5e30cb85c88f
Instruction Fuzzy Hash: 8A718221365F4083FBD4AF21ED6832AA7A9FB89F9EF444114CA4643B94EF38C4D98705

Function 00000254A391CE70 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 109stringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00000254A391CE9E
OpenProcessToken.ADVAPI32 ref: 00000254A391CEB1
LookupPrivilegeValueW.ADVAPI32 ref: 00000254A391CED9
AdjustTokenPrivileges.ADVAPI32 ref: 00000254A391CEFB
GetLastError.KERNEL32 ref: 00000254A391CF01
CloseHandle.KERNEL32 ref: 00000254A391CF17
GetCurrentProcess.KERNEL32 ref: 00000254A391CF2D
OpenProcessToken.ADVAPI32 ref: 00000254A391CF42
LookupPrivilegeValueW.ADVAPI32 ref: 00000254A391CF6A
AdjustTokenPrivileges.ADVAPI32 ref: 00000254A391CF8E
GetLastError.KERNEL32 ref: 00000254A391CF94
CloseHandle.KERNEL32 ref: 00000254A391CFAA
memset.NTDLL ref: 00000254A391CFC2
OpenProcess.KERNEL32 ref: 00000254A391CFD1
K32EnumProcessModules.KERNEL32 ref: 00000254A391CFFB
K32GetProcessImageFileNameW.KERNEL32 ref: 00000254A391D00F
lstrcpyW.KERNEL32 ref: 00000254A391D023
CloseHandle.KERNEL32 ref: 00000254A391D040

Strings

SeTcbPrivilege, xrefs: 00000254A391CF59
SeDebugPrivilege, xrefs: 00000254A391CEC8

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Process$Token$CloseHandleOpen$AdjustCurrentErrorLastLookupPrivilegePrivilegesValue$EnumFileImageModulesNamelstrcpymemset
String ID: SeDebugPrivilege$SeTcbPrivilege
API String ID: 4244359295-3171858176
Opcode ID: afd95e7b21561ac8f3792b67cd5ce759562a791877db9a9ce67460e1baa5020e
Instruction ID: f35b0b31e5f0086f921af0e2cfcc08197ed68a4117c154512551afe056d86bea
Opcode Fuzzy Hash: afd95e7b21561ac8f3792b67cd5ce759562a791877db9a9ce67460e1baa5020e
Instruction Fuzzy Hash: F2518271369F4083E7E0AF21EC58399A768F748BAEF405215D95A42AD8EF3CC5C9CB05

Function 00000254A3937630 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 274networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00000254A393776D
setsockopt.WS2_32 ref: 00000254A39377AF
setsockopt.WS2_32 ref: 00000254A39377CC
setsockopt.WS2_32 ref: 00000254A3937913
WSAGetLastError.WS2_32 ref: 00000254A393791D
listen.WS2_32 ref: 00000254A393792F
closesocket.WS2_32 ref: 00000254A393799E
WSAGetLastError.WS2_32 ref: 00000254A3937A71
closesocket.WS2_32 ref: 00000254A3937AA0
closesocket.WS2_32 ref: 00000254A3937AC8

Strings

lws_create_vhost, xrefs: 00000254A3937638
ERROR opening socket, xrefs: 00000254A3937AD5
listen failed with error %d, xrefs: 00000254A3937A77
%s: VH %s: iface %s port %d DOESN'T EXIST, xrefs: 00000254A39379D5
Out of mem, xrefs: 00000254A3937AAD
%s: VH %s: iface %s port %d NOT USABLE, xrefs: 00000254A3937A2D
_lws_vhost_init_server_af, xrefs: 00000254A39379CE, 00000254A3937A26
listen|%s|%s|%d, xrefs: 00000254A3937982
reuseaddr failed, xrefs: 00000254A3937AB6

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: closesocketsetsockopt$ErrorLast$listensocket
String ID: %s: VH %s: iface %s port %d DOESN'T EXIST$%s: VH %s: iface %s port %d NOT USABLE$ERROR opening socket$Out of mem$_lws_vhost_init_server_af$listen failed with error %d$listen|%s|%s|%d$lws_create_vhost$reuseaddr failed
API String ID: 3630065070-1684632830
Opcode ID: 3b880312eee11432debff261864d0151b6d610a403db296dabe4168ddc5b799d
Instruction ID: 84135511f2d1a550fb58a0f83c61a32eca0edd394879e85fe9e37601b01bed2a
Opcode Fuzzy Hash: 3b880312eee11432debff261864d0151b6d610a403db296dabe4168ddc5b799d
Instruction Fuzzy Hash: 67D19FB2250E8583EB94EB16D8687D9B7A8F348B9DF044229DA19877B0EF34C5D5C708

Function 00000254A390C850 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 244filestringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A390C895
lstrcatW.KERNEL32 ref: 00000254A390C8A4
lstrcatW.KERNEL32 ref: 00000254A390C8B8
memset.NTDLL ref: 00000254A390C8CB
FindFirstFileW.KERNEL32 ref: 00000254A390C8DC

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

FindNextFileW.KERNEL32 ref: 00000254A390C935
FindNextFileW.KERNEL32 ref: 00000254A390C999
VirtualFree.KERNEL32 ref: 00000254A390CA54
VirtualFree.KERNEL32 ref: 00000254A390CA7E
VirtualFree.KERNEL32 ref: 00000254A390CA94
VirtualFree.KERNEL32 ref: 00000254A390CABE
VirtualFree.KERNEL32 ref: 00000254A390CAD9
VirtualFree.KERNEL32 ref: 00000254A390CB03
FindClose.KERNEL32 ref: 00000254A390CB0C
VirtualFree.KERNEL32 ref: 00000254A390CB2C
VirtualFree.KERNEL32 ref: 00000254A390CB56
VirtualFree.KERNEL32 ref: 00000254A390CB71
VirtualFree.KERNEL32 ref: 00000254A390CB9B

Strings

*.*, xrefs: 00000254A390C8AA

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$Find$EnterFileRead$LeaveNextlstrcatmemset$CloseFirstInitialize
String ID: *.*
API String ID: 3909642798-438819550
Opcode ID: 4ce18a9b90196395475cfb8a2b41f3e008fbd196779cbce07c17fbf59d62ab14
Instruction ID: 7540833e05b42f310b4d08e984a8c4348053c481b688a052206d2ef0a5865df5
Opcode Fuzzy Hash: 4ce18a9b90196395475cfb8a2b41f3e008fbd196779cbce07c17fbf59d62ab14
Instruction Fuzzy Hash: FDA18525365F4183FBA4EF26EC6865AA7A9FB89F8DF048014CE4647754EF39C489CB04

Function 00000254A3913BC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 197stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00000254A3913C12
malloc.MSVCRT ref: 00000254A3913C2E
free.MSVCRT ref: 00000254A3913C3F
memset.NTDLL ref: 00000254A3913C77
GetCursorInfo.USER32 ref: 00000254A3913C94
GetCursorPos.USER32 ref: 00000254A3913C9E
GetForegroundWindow.USER32 ref: 00000254A3913CAC
GetWindowTextW.USER32 ref: 00000254A3913CC3
GetTickCount.KERNEL32 ref: 00000254A3913CEE
GetTickCount.KERNEL32 ref: 00000254A3913CFA
wsprintfW.USER32 ref: 00000254A3913D3F
lstrlenW.KERNEL32 ref: 00000254A3913D48

Strings

%s|%d, xrefs: 00000254A3913D28

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CountCursorTickWindowmalloc$ForegroundInfoTextfreelstrlenmemsetwsprintf
String ID: %s|%d
API String ID: 14445030-1229896841
Opcode ID: 39f0c2668db1b372d72f0baae9c1b4d9b698ffe5f9ed2b9c4655611148b82a9b
Instruction ID: 9fc3c4f7c069df20c49e7c39f7b6dcae4b1320c1a1bb933c086c12e8335b9fd9
Opcode Fuzzy Hash: 39f0c2668db1b372d72f0baae9c1b4d9b698ffe5f9ed2b9c4655611148b82a9b
Instruction Fuzzy Hash: 39817F21761F4087EB94EF26EC68368A7A9FB49B8EF044125DE4A17B54EF38C5C9C704

Function 00000254A39163C0 Relevance: 33.3, APIs: 15, Strings: 4, Instructions: 76servicestringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A39163D9
lstrcatW.KERNEL32 ref: 00000254A39163ED
memset.NTDLL ref: 00000254A3916400
GetWindowsDirectoryW.KERNEL32 ref: 00000254A391640F
GetLastError.KERNEL32 ref: 00000254A3916419
lstrcatW.KERNEL32 ref: 00000254A391642B
OpenSCManagerW.ADVAPI32 ref: 00000254A391643B
GetLastError.KERNEL32 ref: 00000254A3916449
CreateServiceW.ADVAPI32 ref: 00000254A39164C0
GetLastError.KERNEL32 ref: 00000254A39164CE
CloseServiceHandle.ADVAPI32 ref: 00000254A39164D7
GetLastError.KERNEL32 ref: 00000254A39164DD
StartServiceW.ADVAPI32 ref: 00000254A39164FC
CloseServiceHandle.ADVAPI32 ref: 00000254A3916505
CloseServiceHandle.ADVAPI32 ref: 00000254A391650E

Strings

\system32\drivers\tpdrivers.sys, xrefs: 00000254A391641F
FSFilter Activity Monitor, xrefs: 00000254A391648D
tpdrivers, xrefs: 00000254A39163DE
FltMgr, xrefs: 00000254A3916467

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandle$lstrcatmemset$CreateDirectoryManagerOpenStartWindows
String ID: FSFilter Activity Monitor$FltMgr$\system32\drivers\tpdrivers.sys$tpdrivers
API String ID: 4233479461-606275738
Opcode ID: 38649f7966a210fa7a925492f7da8da3f08e55cc04dda45abaec5e3d19128508
Instruction ID: 2a1723df26c90a00f17aa2802da23b298135fb0b35128e528606bc5e758e25e6
Opcode Fuzzy Hash: 38649f7966a210fa7a925492f7da8da3f08e55cc04dda45abaec5e3d19128508
Instruction Fuzzy Hash: 7D316525769F4083EB90AB54FC6835AA7A8F78C75EF440025DA8A02664FF3CC1CDCB09

Function 00000254A3911F80 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 212filestringmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A3911FB4

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

lstrcatW.KERNEL32 ref: 00000254A3911FD0
lstrcatW.KERNEL32 ref: 00000254A3911FE5
CreateFileW.KERNEL32 ref: 00000254A3912014
GetFileSize.KERNEL32 ref: 00000254A391202C
VirtualAlloc.KERNEL32 ref: 00000254A3912042
CloseHandle.KERNEL32 ref: 00000254A3912058
VirtualFree.KERNEL32 ref: 00000254A391206E
ReadFile.KERNEL32 ref: 00000254A39120AB
VirtualFree.KERNEL32 ref: 00000254A3912191
CloseHandle.KERNEL32 ref: 00000254A391219F
VirtualFree.KERNEL32 ref: 00000254A3912243
VirtualFree.KERNEL32 ref: 00000254A391226D
VirtualFree.KERNEL32 ref: 00000254A3912283
VirtualFree.KERNEL32 ref: 00000254A39122AD

Strings

C:\Program Files\Windows Mail, xrefs: 00000254A3911FBE
\temp.key, xrefs: 00000254A3911FD6

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalFreeSection$Read$EnterFile$CloseHandleLeavelstrcat$CreateInitializeSizememset
String ID: C:\Program Files\Windows Mail$\temp.key
API String ID: 1994389154-229217837
Opcode ID: 92afef74a29b292eaf857ba6167df423d94299ef4b9599aef15cf14ad88bc85f
Instruction ID: 82c71b49bf27598705903e0e70cc19261401177b5a41c122a63026014ac3474c
Opcode Fuzzy Hash: 92afef74a29b292eaf857ba6167df423d94299ef4b9599aef15cf14ad88bc85f
Instruction Fuzzy Hash: 9A91C832725F4083EB94EF26E858759B7A5FBC9B89F008615DE8A43B54EF38C594C704

Function 00000254A390A190 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 149filestringmemoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000254A390A1AB
memset.NTDLL ref: 00000254A390A1C4
lstrcatW.KERNEL32 ref: 00000254A390A1D5
lstrcatW.KERNEL32 ref: 00000254A390A1E7
CreateFileW.KERNEL32 ref: 00000254A390A21E
CreateFileW.KERNEL32 ref: 00000254A390A253
SetFilePointer.KERNEL32 ref: 00000254A390A268
WriteFile.KERNEL32 ref: 00000254A390A297
SetFileAttributesW.KERNEL32 ref: 00000254A390A2A6
SetFilePointer.KERNEL32 ref: 00000254A390A2BA
VirtualAlloc.KERNEL32 ref: 00000254A390A2CF
WriteFile.KERNEL32 ref: 00000254A390A3BA
VirtualFree.KERNEL32 ref: 00000254A390A3CB
SetFileAttributesW.KERNEL32 ref: 00000254A390A3DB
CloseHandle.KERNEL32 ref: 00000254A390A3E9

Strings

C:\Program Files\Windows Mail, xrefs: 00000254A390A1C9
\temp.key, xrefs: 00000254A390A1DB

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: File$AttributesCreatePointerVirtualWritelstrcat$AllocCloseCountFreeHandleTickmemset
String ID: C:\Program Files\Windows Mail$\temp.key
API String ID: 573267298-229217837
Opcode ID: 56780571c3b5b24d83ae8df9fa4e23bd7118c424518018f72ede47bea234dd3e
Instruction ID: 459e24e24b61aa54d089e4482015abc09195e89095f258d027f17221e59e86b3
Opcode Fuzzy Hash: 56780571c3b5b24d83ae8df9fa4e23bd7118c424518018f72ede47bea234dd3e
Instruction Fuzzy Hash: C261B232724E8583EBA0EF25E818B99B764FBC9B8DF508211DA8517B54FB3CC589C704

Function 00000254A39097D0 Relevance: 28.7, APIs: 19, Instructions: 155clipboardstringmemoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000254A390983F
LeaveCriticalSection.KERNEL32 ref: 00000254A390986F
EnterCriticalSection.KERNEL32 ref: 00000254A390988F
LeaveCriticalSection.KERNEL32 ref: 00000254A39098C1
lstrlenW.KERNEL32 ref: 00000254A39098F7
memcmp.MSVCRT ref: 00000254A3909908
lstrlenW.KERNEL32 ref: 00000254A3909934
lstrlenW.KERNEL32 ref: 00000254A390993F
lstrlenW.KERNEL32 ref: 00000254A390994F
memcpy.NTDLL ref: 00000254A3909960
OpenClipboard.USER32 ref: 00000254A3909967
CloseClipboard.USER32 ref: 00000254A3909971
EmptyClipboard.USER32 ref: 00000254A3909977
GlobalAlloc.KERNEL32 ref: 00000254A3909985
GlobalLock.KERNEL32 ref: 00000254A3909996
memcpy.NTDLL ref: 00000254A39099AD
GlobalUnlock.KERNEL32 ref: 00000254A39099B5
SetClipboardData.USER32 ref: 00000254A39099C3
CloseClipboard.USER32 ref: 00000254A39099C9

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Clipboard$CriticalSectionlstrlen$Global$CloseEnterLeavememcpy$AllocDataEmptyLockOpenUnlockmemcmp
String ID:
API String ID: 1993803941-0
Opcode ID: f9a916733851e6dc62f61d2f66a0daea919dc5e740a42f29a2d1ffc9bea0251b
Instruction ID: c1c3f3ab179721a3e661e3ae9ebfafd92bd076a21140cf9d2be7a0fec515ddc8
Opcode Fuzzy Hash: f9a916733851e6dc62f61d2f66a0daea919dc5e740a42f29a2d1ffc9bea0251b
Instruction Fuzzy Hash: 345143513A5F0187FA94BB519D6C329E7A9FB4DB8EF0444218E1A077A4FF38D8C58308

Function 00000254A390F710 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 196memoryinjectionlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A390F560: VirtualAlloc.KERNEL32 ref: 00000254A390F59E
Part of subcall function 00000254A390F560: memcpy.NTDLL ref: 00000254A390F5BA
Part of subcall function 00000254A390F560: VirtualFree.KERNEL32 ref: 00000254A390F6AF

VirtualAllocEx.KERNEL32 ref: 00000254A390F764
GetLastError.KERNEL32 ref: 00000254A390F772
WriteProcessMemory.KERNEL32 ref: 00000254A390F793
VirtualAllocEx.KERNEL32 ref: 00000254A390F7B3
WriteProcessMemory.KERNEL32 ref: 00000254A390F7D6
VirtualAllocEx.KERNEL32 ref: 00000254A390F7F7
WriteProcessMemory.KERNEL32 ref: 00000254A390F8D7
VirtualProtectEx.KERNEL32 ref: 00000254A390F900
VirtualProtectEx.KERNEL32 ref: 00000254A390F91C
GetModuleHandleW.KERNEL32 ref: 00000254A390F937
GetProcAddress.KERNEL32 ref: 00000254A390F947

Strings

h, xrefs: 00000254A390F88F
ntdll.dll, xrefs: 00000254A390F928
@, xrefs: 00000254A390F7E2
ZwCreateThreadEx, xrefs: 00000254A390F940

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$MemoryProcessWrite$Protect$AddressErrorFreeHandleLastModuleProcmemcpy
String ID: @$ZwCreateThreadEx$h$ntdll.dll
API String ID: 2541485474-1855171776
Opcode ID: 396edaa950aea8bb2834e9a8a087e273c859751424a80b509f85d4148d5affe0
Instruction ID: f2afaa90aa4703a51aec62884d239008d78fc78f7f5997d04fb241b729e2e949
Opcode Fuzzy Hash: 396edaa950aea8bb2834e9a8a087e273c859751424a80b509f85d4148d5affe0
Instruction Fuzzy Hash: 30813622724B808BF764DF79AC543ADAF64F74A78CF040219DE9A13B89DB38C285C744

Function 00000254A3902B50 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 156comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00000254A3902B6A
CLSIDFromString.OLE32 ref: 00000254A3902E4D
IIDFromString.OLE32 ref: 00000254A3902E5F
CoCreateInstance.OLE32 ref: 00000254A3902E7C

Strings

Y:\:, xrefs: 00000254A3902C05
:Y:, xrefs: 00000254A3902D84
\:[:, xrefs: 00000254A3902CDD
X:[:, xrefs: 00000254A3902CEC
^:G:, xrefs: 00000254A3902C79
A::, xrefs: 00000254A3902B7E
X:^:, xrefs: 00000254A3902C15
:, xrefs: 00000254A3902DF0
:, xrefs: 00000254A3902DC5
:_:, xrefs: 00000254A3902C1D
Y::, xrefs: 00000254A3902D8C
\:^:, xrefs: 00000254A3902D94

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: FromString$CreateInitializeInstance
String ID: :_:$:Y:$:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
API String ID: 511945936-736265694
Opcode ID: f4bb76e33d73f4eed76eb8cf699106e415e7ba4134a3637e02159dfe64d1d0e5
Instruction ID: b1ac1489069fe6dcac478464fe2a187fe62f313730d09cd6e1f0aabe7903fb0c
Opcode Fuzzy Hash: f4bb76e33d73f4eed76eb8cf699106e415e7ba4134a3637e02159dfe64d1d0e5
Instruction Fuzzy Hash: 48910D73918BC4CBE3118F79A4016AABB60F7E9348F10A249EBC556919EB7CE584CF00

Function 00000254A390BFC0 Relevance: 28.0, APIs: 12, Strings: 4, Instructions: 50COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32 ref: 00000254A390BFCF
ClearEventLogW.ADVAPI32 ref: 00000254A390BFE2
CloseEventLog.ADVAPI32 ref: 00000254A390BFEB
OpenEventLogW.ADVAPI32 ref: 00000254A390BFFA
ClearEventLogW.ADVAPI32 ref: 00000254A390C00D
CloseEventLog.ADVAPI32 ref: 00000254A390C016
OpenEventLogW.ADVAPI32 ref: 00000254A390C025
ClearEventLogW.ADVAPI32 ref: 00000254A390C038
CloseEventLog.ADVAPI32 ref: 00000254A390C041
OpenEventLogW.ADVAPI32 ref: 00000254A390C050
ClearEventLogW.ADVAPI32 ref: 00000254A390C063
CloseEventLog.ADVAPI32 ref: 00000254A390C06C

Strings

Application, xrefs: 00000254A390BFC6
Setup, xrefs: 00000254A390C047
System, xrefs: 00000254A390C01C
Security, xrefs: 00000254A390BFF1

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$Setup$System
API String ID: 1391105993-476969907
Opcode ID: 5021a1d87680e35f003e85da53eefad997846ad59c3c35a2b55918231f5bdb21
Instruction ID: 4e1c7a56daeea11a225d6ccf1da52c834f879b7e4a38b7b41173f2418622ce2c
Opcode Fuzzy Hash: 5021a1d87680e35f003e85da53eefad997846ad59c3c35a2b55918231f5bdb21
Instruction Fuzzy Hash: 3411BF557A6F0283FE98BB367C3D255D699AF4DB4EF484528880A86350FE3CC0CD8709

Function 00000254A3914FC0 Relevance: 25.7, APIs: 17, Instructions: 224memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A391500E
VirtualFree.KERNEL32 ref: 00000254A3915038
VirtualAlloc.KERNEL32 ref: 00000254A391504F
VirtualAlloc.KERNEL32 ref: 00000254A39150EF
InitializeCriticalSection.KERNEL32 ref: 00000254A3915109
CreateEventW.KERNEL32 ref: 00000254A3915126
VirtualFree.KERNEL32 ref: 00000254A391518D
VirtualFree.KERNEL32 ref: 00000254A39151B7
CloseHandle.KERNEL32 ref: 00000254A39151D8
IsBadReadPtr.KERNEL32 ref: 00000254A39151EE
IsBadReadPtr.KERNEL32 ref: 00000254A3915215
WaitForMultipleObjects.KERNEL32 ref: 00000254A3915256
CloseHandle.KERNEL32 ref: 00000254A3915269
IsBadReadPtr.KERNEL32 ref: 00000254A3915288
VirtualFree.KERNEL32 ref: 00000254A39152D6
VirtualFree.KERNEL32 ref: 00000254A3915300
VirtualFree.KERNEL32 ref: 00000254A391532D

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalFreeSection$Read$Enter$CloseHandleInitializeLeave$CreateEventMultipleObjectsWait
String ID:
API String ID: 1725847572-0
Opcode ID: 876fc3b34448328f9269e67c67e9409e61e97c701b227af607bf82faa45f4fcb
Instruction ID: dc1eb31b2a6af314d9e0358be6c6757c72dad46a97cc80425f2ad80cc8112542
Opcode Fuzzy Hash: 876fc3b34448328f9269e67c67e9409e61e97c701b227af607bf82faa45f4fcb
Instruction Fuzzy Hash: F6A15F36362F4086EB94EF22E868359B3A9FB88F9DF458115CE4953B54EF38C894C744

Function 00000254A3923760 Relevance: 25.7, APIs: 17, Instructions: 183filememoryCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00000254A39237A7
memcpy.NTDLL ref: 00000254A39237B9
CreateFileW.KERNEL32 ref: 00000254A39237F8
GetFileSize.KERNEL32 ref: 00000254A3923821
SetFilePointer.KERNEL32 ref: 00000254A392383D
VirtualAlloc.KERNEL32 ref: 00000254A3923854
GetLastError.KERNEL32 ref: 00000254A3923862
free.MSVCRT ref: 00000254A3923876
ReadFile.KERNEL32 ref: 00000254A39238BC
VirtualFree.KERNEL32 ref: 00000254A3923988
VirtualFree.KERNEL32 ref: 00000254A39239B2
VirtualFree.KERNEL32 ref: 00000254A39239C8
VirtualFree.KERNEL32 ref: 00000254A39239F2
GetLastError.KERNEL32 ref: 00000254A39239FA
VirtualFree.KERNEL32 ref: 00000254A3923A16

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

GetLastError.KERNEL32 ref: 00000254A3923A21
free.MSVCRT ref: 00000254A3923A35

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$Free$FileRead$EnterErrorLast$Leavefree$CreateInitializePointerSizemallocmemcpy
String ID:
API String ID: 1128571104-0
Opcode ID: af9bb7d1b2c8ca7110cb3b755bcb326d2b0b0e4f4ea9e483cf88b5d16ac75476
Instruction ID: f8bde99f95aa3c570322f745252e03103d3de6e1daf2d03f286073ea8a5d653c
Opcode Fuzzy Hash: af9bb7d1b2c8ca7110cb3b755bcb326d2b0b0e4f4ea9e483cf88b5d16ac75476
Instruction Fuzzy Hash: 5F71C636325F4087E7A4EF62E86875AB7A9F78DB89F004114DE8A47B54EF38C489C705

Function 00000254A3911A10 Relevance: 25.7, APIs: 17, Instructions: 178networkCOMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 00000254A3911A2A
memset.NTDLL ref: 00000254A3911A74
WSACreateEvent.WS2_32 ref: 00000254A3911A79
WSACreateEvent.WS2_32 ref: 00000254A3911A82
WSAEventSelect.WS2_32 ref: 00000254A3911A97
WSAEventSelect.WS2_32 ref: 00000254A3911AA9
WSAWaitForMultipleEvents.WS2_32 ref: 00000254A3911AE0
WSAEnumNetworkEvents.WS2_32 ref: 00000254A3911B0A
memset.NTDLL ref: 00000254A3911B31
recv.WS2_32 ref: 00000254A3911B4A
WSAEnumNetworkEvents.WS2_32 ref: 00000254A3911B92
WSAWaitForMultipleEvents.WS2_32 ref: 00000254A3911BF9
CancelIo.KERNEL32 ref: 00000254A3911C26
closesocket.WS2_32 ref: 00000254A3911C2F
VirtualFree.KERNEL32 ref: 00000254A3911C4A
VirtualFree.KERNEL32 ref: 00000254A3911C7A
VirtualFree.KERNEL32 ref: 00000254A3911C8B

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: EventEvents$FreeVirtual$CreateEnumMultipleNetworkSelectWaitmemset$Cancel__chkstkclosesocketrecv
String ID:
API String ID: 3006828577-0
Opcode ID: 755613185204baf14ea6cb944d7e5b8ba692d085ee73819a7632e4f2f8082908
Instruction ID: cbc757cb40fa405ac43b84f34903b3c59148553e5da1eeea5375f840297c99fc
Opcode Fuzzy Hash: 755613185204baf14ea6cb944d7e5b8ba692d085ee73819a7632e4f2f8082908
Instruction Fuzzy Hash: 5871F232365E4083EBE0AB26EC6875AA799F789B9EF044010DE5A43794FF38C8C58705

Function 00000254A391E010 Relevance: 25.7, APIs: 17, Instructions: 170keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32 ref: 00000254A391E024
BlockInput.USER32 ref: 00000254A391E061
GetDC.USER32 ref: 00000254A391E0A4
GetDeviceCaps.GDI32 ref: 00000254A391E10C
GetDeviceCaps.GDI32 ref: 00000254A391E11A
GetDeviceCaps.GDI32 ref: 00000254A391E128
GetDeviceCaps.GDI32 ref: 00000254A391E156
MapVirtualKeyW.USER32 ref: 00000254A391E1BC
keybd_event.USER32 ref: 00000254A391E1D0
BlockInput.USER32 ref: 00000254A391E355

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CapsDevice$BlockInput$Virtualkeybd_event
String ID:
API String ID: 4019288356-0
Opcode ID: 80f6854fd55cfec3db650c4c49a6fd06f20ce82fbc0cb067e63b0ba8c2a67ee0
Instruction ID: 451bfa85f6880056251f3876c9ad9aa3cc5603997c096b7fe41faf95cdfbecc5
Opcode Fuzzy Hash: 80f6854fd55cfec3db650c4c49a6fd06f20ce82fbc0cb067e63b0ba8c2a67ee0
Instruction Fuzzy Hash: A4611C32B68E8083E3D5AB31AC6D75AF7A9FB8D74EF144211DA4612654EF38D8C5CB04

Function 00000254A3946670 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 258stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00000254A394669A

Strings

lws_create_vhost, xrefs: 00000254A394667D
%s: malformed ip address, xrefs: 00000254A3946991
lws_parse_numeric_address, xrefs: 00000254A394693B, 00000254A3946985
%s: ended on e %d, xrefs: 00000254A3946942

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: strchr
String ID: %s: ended on e %d$%s: malformed ip address$lws_create_vhost$lws_parse_numeric_address
API String ID: 2830005266-2525933588
Opcode ID: 70010e423fb3755efd61014bceaeae7baf17920ebf1afdbeec04516e640b8e02
Instruction ID: 8c921f58d472ab40688b7bccc29c34f440749104b97bd2cb748c6e7f638c4568
Opcode Fuzzy Hash: 70010e423fb3755efd61014bceaeae7baf17920ebf1afdbeec04516e640b8e02
Instruction Fuzzy Hash: 5EA15DE13B4E8043FAE0AE289C3C3AAE659A7417AEF544215DA97076D5FA74C8C5C30C

Function 00000254A39073D0 Relevance: 24.2, APIs: 16, Instructions: 212pipeCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3907423

Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034EB
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39034FD
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903510
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903527
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903556
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903568
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390357B
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903592
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035C1
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39035D3
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035E6
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035FD
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390362C
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A390363E
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903654

Part of subcall function 00000254A3906C70: memcpy.NTDLL ref: 00000254A3906C8E
Part of subcall function 00000254A3906C70: memset.NTDLL ref: 00000254A3906CA0
Part of subcall function 00000254A3906C70: lstrcatA.KERNEL32 ref: 00000254A3906CC0
Part of subcall function 00000254A3906C70: lstrcatW.KERNEL32 ref: 00000254A3906CF4

VirtualFree.KERNEL32 ref: 00000254A390744D
VirtualFree.KERNEL32 ref: 00000254A390749D
VirtualFree.KERNEL32 ref: 00000254A39074C7
VirtualFree.KERNEL32 ref: 00000254A39074EF
VirtualFree.KERNEL32 ref: 00000254A3907519
DisconnectNamedPipe.KERNEL32 ref: 00000254A3907546
CloseHandle.KERNEL32 ref: 00000254A3907555
DeleteCriticalSection.KERNEL32 ref: 00000254A3907563
VirtualFree.KERNEL32 ref: 00000254A3907574
VirtualFree.KERNEL32 ref: 00000254A3907615
VirtualFree.KERNEL32 ref: 00000254A390763F
VirtualFree.KERNEL32 ref: 00000254A3907655
VirtualFree.KERNEL32 ref: 00000254A390767F
VirtualFree.KERNEL32 ref: 00000254A3907695

Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903678
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903691
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39036A7
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39036CB
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39036E4
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39036FA
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903726
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A390373F
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903755
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903779
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903792
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39037A8

Part of subcall function 00000254A3906BC0: IsBadReadPtr.KERNEL32 ref: 00000254A3906BE3
Part of subcall function 00000254A3906BC0: EnterCriticalSection.KERNEL32(?,?,00000038,00000254A39071A6), ref: 00000254A3906BFE
Part of subcall function 00000254A3906BC0: LeaveCriticalSection.KERNEL32(?,?,00000038,00000254A39071A6), ref: 00000254A3906C21

VirtualFree.KERNEL32 ref: 00000254A39076BF

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$Free$EnterRead$Leave$Alloc$lstrcat$CloseDeleteDisconnectHandleInitializeNamedPipememcpymemset
String ID:
API String ID: 4255235403-0
Opcode ID: 487ab0318e1d18530209ff1e23f5e332d75461c33a839119e161c17338c97bb7
Instruction ID: 6e32946221d56a78f098e154cbf644554bd32e598405cabbd9b592d8af2d52cd
Opcode Fuzzy Hash: 487ab0318e1d18530209ff1e23f5e332d75461c33a839119e161c17338c97bb7
Instruction Fuzzy Hash: 97915321766F4087FB94EF66D868229B765FB89F8AF088114CE8A03B55EF38D4D48705

Function 00000254A392DE00 Relevance: 22.9, APIs: 1, Strings: 14, Instructions: 382stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3933210: memset.NTDLL ref: 00000254A39332AD

strcmp.MSVCRT ref: 00000254A392E333

Strings

novh, xrefs: 00000254A392E201
free, xrefs: 00000254A392DF08, 00000254A392E445
unable to bind to role, xrefs: 00000254A392E076
No vhost in the context, xrefs: 00000254A392E032
%s/%s/%s/%s, xrefs: 00000254A392E275
lws_client_connect_via_info, xrefs: 00000254A392DED6, 00000254A392E039, 00000254A392E125
no vhost, xrefs: 00000254A392DEDD
lws not configured for tls, xrefs: 00000254A392E18E
YZ[\X]^_RAW, xrefs: 00000254A392E408
system, xrefs: 00000254A392DF79
MQTT, xrefs: 00000254A392E3E5
lws_free, xrefs: 00000254A392DF16
raw-proxy, xrefs: 00000254A392E32C
default, xrefs: 00000254A392DEA0

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memsetstrcmp
String ID: %s/%s/%s/%s$MQTT$No vhost in the context$YZ[\X]^_RAW$default$free$lws not configured for tls$lws_client_connect_via_info$lws_free$no vhost$novh$raw-proxy$system$unable to bind to role
API String ID: 195427100-1777779229
Opcode ID: 0a50994659bfa9390f8cb93d3ee09e1d8e146c54073cf66cc204a343bb942911
Instruction ID: fc1d8ff5996bf5498cf657e481d39bf540cff89decb175c7424d0b27f5d82905
Opcode Fuzzy Hash: 0a50994659bfa9390f8cb93d3ee09e1d8e146c54073cf66cc204a343bb942911
Instruction Fuzzy Hash: AF028B22251F8487EB95EF61D8A83A9B7A8F748B8EF484026DF4D4B754EF34D094C708

Function 00000254A3946B30 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 180networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00000254A3946C07
_unlink.MSVCRT ref: 00000254A3946D10
bind.WS2_32 ref: 00000254A3946D2C
WSAGetLastError.WS2_32 ref: 00000254A3946D3D
getsockname.WS2_32 ref: 00000254A3946DEA
htons.WS2_32 ref: 00000254A3946DFB

Strings

lws_create_vhost, xrefs: 00000254A3946B3C
ERROR on binding fd %d to port %d (%d %d), xrefs: 00000254A3946DA8
@, xrefs: 00000254A3946CFE
ERROR on binding fd %d to "%s" (%d %d), xrefs: 00000254A3946D77
"%s" too long for UNIX domain socket, xrefs: 00000254A3946C7F
lws_socket_bind, xrefs: 00000254A3946C89, 00000254A3946D57

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: htons$ErrorLast_unlinkbindgetsockname
String ID: "%s" too long for UNIX domain socket$@$ERROR on binding fd %d to "%s" (%d %d)$ERROR on binding fd %d to port %d (%d %d)$lws_create_vhost$lws_socket_bind
API String ID: 4073785539-2597659182
Opcode ID: 24bc8069ff57ac113c3f7b0f3bc0ec0c4e81cfd8a2103457d748139057c3f398
Instruction ID: 74e462956636123d3216cb96dcade70ca8fc5654994f8d751f3f6ebbca1b33b9
Opcode Fuzzy Hash: 24bc8069ff57ac113c3f7b0f3bc0ec0c4e81cfd8a2103457d748139057c3f398
Instruction Fuzzy Hash: 6C81C562664F8087E7A0EF60EC643EDB7A4F39979DF409216EE8917A55EB38C1C4C704

Function 00000254A39130FE Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150sleepCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32 ref: 00000254A3916AC8
VirtualFree.KERNEL32 ref: 00000254A3916AF2
malloc.MSVCRT ref: 00000254A3916B7D
malloc.MSVCRT ref: 00000254A3916B89
VirtualFree.KERNEL32 ref: 00000254A3916BE2
VirtualFree.KERNEL32 ref: 00000254A3916C0C
NetUserAdd.NETAPI32 ref: 00000254A3916C46
Sleep.KERNEL32 ref: 00000254A3916C51
NetLocalGroupAddMembers.NETAPI32 ref: 00000254A3916C76
free.MSVCRT ref: 00000254A3916C89
free.MSVCRT ref: 00000254A3916C92

Strings

Administrators, xrefs: 00000254A3916C6D

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: FreeVirtual$freemalloc$GroupLocalMembersSleepUser
String ID: Administrators
API String ID: 2980277588-3395160503
Opcode ID: da3a28424a5a67998ed531bb1b5f40b6d27e172e32b39df16f7556483a8c1416
Instruction ID: c472305c22dcb24ae0d627a316e98307288b215609ce9dc1fe33ff5c8f2e27d4
Opcode Fuzzy Hash: da3a28424a5a67998ed531bb1b5f40b6d27e172e32b39df16f7556483a8c1416
Instruction Fuzzy Hash: FF515332B61B008BE794EF75D86839D73A5FB89B4DF148025DE4A16B58EE38C4C5C744

Function 00000254A3901AE0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103memorynativesynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00000254A3901B02
VirtualAlloc.KERNEL32 ref: 00000254A3901B29

Part of subcall function 00000254A3910680: VirtualAlloc.KERNEL32(?,?,?,?,?,?,00100000,00000254A3901B37), ref: 00000254A3910697
Part of subcall function 00000254A3910680: GetCurrentProcess.KERNEL32 ref: 00000254A39106C8
Part of subcall function 00000254A3910680: OpenProcessToken.ADVAPI32 ref: 00000254A39106D9
Part of subcall function 00000254A3910680: LookupPrivilegeValueW.ADVAPI32 ref: 00000254A3910701
Part of subcall function 00000254A3910680: AdjustTokenPrivileges.KERNELBASE ref: 00000254A3910721
Part of subcall function 00000254A3910680: GetLastError.KERNEL32 ref: 00000254A3910727
Part of subcall function 00000254A3910680: CloseHandle.KERNEL32 ref: 00000254A391073B
Part of subcall function 00000254A3910680: VirtualAlloc.KERNEL32 ref: 00000254A3910752
Part of subcall function 00000254A3910680: InitializeCriticalSection.KERNEL32 ref: 00000254A3910764
Part of subcall function 00000254A3910680: IsBadReadPtr.KERNEL32 ref: 00000254A391077D
Part of subcall function 00000254A3910680: EnterCriticalSection.KERNEL32 ref: 00000254A3910790
Part of subcall function 00000254A3910680: VirtualAlloc.KERNEL32 ref: 00000254A39107A7
Part of subcall function 00000254A3910680: LeaveCriticalSection.KERNEL32 ref: 00000254A39107D6
Part of subcall function 00000254A3910680: IsBadReadPtr.KERNEL32 ref: 00000254A39107E8
Part of subcall function 00000254A3910680: EnterCriticalSection.KERNEL32 ref: 00000254A39107FB
Part of subcall function 00000254A3910680: VirtualAlloc.KERNEL32 ref: 00000254A3910812

WaitForSingleObject.KERNEL32 ref: 00000254A3901B4D
NtQuerySystemInformation.NTDLL ref: 00000254A3901B6B
VirtualFree.KERNEL32 ref: 00000254A3901B89
VirtualAlloc.KERNEL32 ref: 00000254A3901B9D
memset.NTDLL ref: 00000254A3901BB9
NtQuerySystemInformation.NTDLL ref: 00000254A3901BD2
lstrcmpiW.KERNEL32 ref: 00000254A3901BF3
WaitForSingleObject.KERNEL32 ref: 00000254A3901C40
CloseHandle.KERNEL32 ref: 00000254A3901C54

Strings

taskmgr.exe, xrefs: 00000254A3901BEC

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$CriticalSection$CloseEnterHandleInformationObjectProcessQueryReadSingleSystemTokenWait$AdjustCreateCurrentErrorEventFreeInitializeLastLeaveLookupOpenPrivilegePrivilegesValuelstrcmpimemset
String ID: taskmgr.exe
API String ID: 441768363-4156271273
Opcode ID: 0621dc44498ae919b7e903597f6a72dc258cdebb099c8e8026c95ccd3122d783
Instruction ID: 5144d1834b83d04815e50565683782743be42dc2cabcfe974b0ea8e8ec1116ee
Opcode Fuzzy Hash: 0621dc44498ae919b7e903597f6a72dc258cdebb099c8e8026c95ccd3122d783
Instruction Fuzzy Hash: 07419535366E4583F794BF52AC2876AF759BB89BCEF0480189D0643A58FF38C884C748

Function 00000254A390AAD0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84windowregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000254A390AB23
RegisterClassW.USER32 ref: 00000254A390AB46
CreateWindowExW.USER32 ref: 00000254A390AB9C
SetWindowLongPtrW.USER32 ref: 00000254A390ABB9
WTSRegisterSessionNotification.WTSAPI32 ref: 00000254A390ABC7
ShowWindow.USER32 ref: 00000254A390ABD6
GetMessageW.USER32 ref: 00000254A390AC01
TranslateMessage.USER32 ref: 00000254A390AC15
DispatchMessageW.USER32 ref: 00000254A390AC20
GetMessageW.USER32 ref: 00000254A390AC33
WTSUnRegisterSessionNotification.WTSAPI32 ref: 00000254A390AC40

Strings

Session Logon, xrefs: 00000254A390AB54

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Message$RegisterWindow$NotificationSession$ClassCreateDispatchHandleLongModuleShowTranslate
String ID: Session Logon
API String ID: 1979525249-2950959013
Opcode ID: 0d96d5dafa15c8008ce9f0b536f309e21048c116557f430f552321169d452b8d
Instruction ID: 558742c311bd0166f122f45948ebb215953d12b60baeaaee67fcadd273bf4d48
Opcode Fuzzy Hash: 0d96d5dafa15c8008ce9f0b536f309e21048c116557f430f552321169d452b8d
Instruction Fuzzy Hash: 09417332668F8183E750DF25FC6836AF7A8F79D749F554225DA8942A64EF78C0C8CB04

Function 00000254A3907FA0 Relevance: 19.7, APIs: 13, Instructions: 166memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3907FF4
VirtualFree.KERNEL32 ref: 00000254A390801E
VirtualAlloc.KERNEL32 ref: 00000254A3908035
VirtualAlloc.KERNEL32 ref: 00000254A39080D2
InitializeCriticalSection.KERNEL32 ref: 00000254A39080E4
CreateEventW.KERNEL32 ref: 00000254A3908104
VirtualFree.KERNEL32 ref: 00000254A390816E
VirtualFree.KERNEL32 ref: 00000254A3908198
GetCurrentThreadId.KERNEL32 ref: 00000254A390819E
IsBadReadPtr.KERNEL32 ref: 00000254A39081B5
EnterCriticalSection.KERNEL32 ref: 00000254A39081C8
VirtualAlloc.KERNEL32 ref: 00000254A39081DF
LeaveCriticalSection.KERNEL32 ref: 00000254A3908203

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterFreeRead$Leave$Initialize$CreateCurrentEventThread
String ID:
API String ID: 3016386783-0
Opcode ID: 1454743fbe7efa11aabd04cc1c8ed9c14f50533e4e827fb8bae3627dc7ceb715
Instruction ID: 3120fcd8899dfb8b42ea35700110e62d2e525fb9ccabf41dfecebcc51ecb7c3c
Opcode Fuzzy Hash: 1454743fbe7efa11aabd04cc1c8ed9c14f50533e4e827fb8bae3627dc7ceb715
Instruction Fuzzy Hash: CA719532325F4087EBA4EF22E858659B7A8FB48B89F448125CF8A43B54EF38D5D5C705

Function 00000254A390AE40 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80windowclipboardregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000254A390AE78
RegisterClassW.USER32 ref: 00000254A390AE9D
CreateWindowExW.USER32 ref: 00000254A390AEFB
SetClipboardViewer.USER32 ref: 00000254A390AF10
ShowWindow.USER32 ref: 00000254A390AF22
GetMessageW.USER32 ref: 00000254A390AF4A
TranslateMessage.USER32 ref: 00000254A390AF59
DispatchMessageW.USER32 ref: 00000254A390AF64
GetMessageW.USER32 ref: 00000254A390AF77
ChangeClipboardChain.USER32 ref: 00000254A390AF8B

Strings

CutActive, xrefs: 00000254A390AE7E

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Message$ClipboardWindow$ChainChangeClassCreateDispatchHandleModuleRegisterShowTranslateViewer
String ID: CutActive
API String ID: 3542119435-15800375
Opcode ID: 0d714c67f3cfe865919fbe5d08e246d9116574fc16b8d6ae8ab858ff4aa2f78f
Instruction ID: 9b3c6a182bf126da0609d5e943cbf9f7da17e71da04c7082eec303d09d659737
Opcode Fuzzy Hash: 0d714c67f3cfe865919fbe5d08e246d9116574fc16b8d6ae8ab858ff4aa2f78f
Instruction Fuzzy Hash: C041A032768FC183E760DF25F86936AB7A4FB99789F554129DA8D42A14EF38C0C8C704

Function 00000254A391AA30 Relevance: 18.2, APIs: 12, Instructions: 204memorythreadnetworkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00000254A391AAA4
VirtualFree.KERNEL32 ref: 00000254A391AAC9
htons.WS2_32 ref: 00000254A391AADD

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034EB
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39034FD
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903510
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903527
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903556
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903568
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390357B
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903592
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035C1
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39035D3
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035E6
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035FD
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390362C
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A390363E
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903654

VirtualFree.KERNEL32 ref: 00000254A391AC00
VirtualFree.KERNEL32 ref: 00000254A391AC30
VirtualFree.KERNEL32 ref: 00000254A391AC46
VirtualFree.KERNEL32 ref: 00000254A391AC70
CreateThread.KERNEL32 ref: 00000254A391AC9B
IsBadReadPtr.KERNEL32 ref: 00000254A391ACB0
EnterCriticalSection.KERNEL32 ref: 00000254A391ACC3
VirtualAlloc.KERNEL32 ref: 00000254A391ACDA
LeaveCriticalSection.KERNEL32 ref: 00000254A391ACFE

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$CreateInitializeThreadgetaddrinfohtons
String ID:
API String ID: 900205276-0
Opcode ID: 8c129793120a5eaf90c5e420acc84c96ddf636ddc2a4fcd7ddec8e6b6a481413
Instruction ID: 0bd507c0cc2352c1b25f66922f71535076e6bfc2f83ef7773f1ad2be2d2ecfce
Opcode Fuzzy Hash: 8c129793120a5eaf90c5e420acc84c96ddf636ddc2a4fcd7ddec8e6b6a481413
Instruction Fuzzy Hash: 1A918C32721F4087EB94EF62D8286AD77A9FB88B8DF018025DE4A53754EF38C589C704

Function 00000254A3915F60 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 119fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3915FAF
VirtualFree.KERNEL32 ref: 00000254A3915FD9
VirtualFree.KERNEL32 ref: 00000254A3916036
VirtualFree.KERNEL32 ref: 00000254A3916060
VirtualFree.KERNEL32 ref: 00000254A39160A2
CreateFileW.KERNEL32 ref: 00000254A39160CE
DeviceIoControl.KERNEL32 ref: 00000254A3916115
CloseHandle.KERNEL32 ref: 00000254A3916123

Strings

\\.\TrueSight, xrefs: 00000254A39160B8
D", xrefs: 00000254A3916101

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$AllocFree$EnterRead$Leave$CloseControlCreateDeviceFileHandleInitialize
String ID: D"$\\.\TrueSight
API String ID: 655973622-2684836731
Opcode ID: 27a08fb4fa4a8848856c421baff81ff9c7be46c9889b924c32ca9501aac5b7be
Instruction ID: bce65a6fff9a1608e2dbed37b683fd4dfa5ac48b36167023326961bd4ed16dca
Opcode Fuzzy Hash: 27a08fb4fa4a8848856c421baff81ff9c7be46c9889b924c32ca9501aac5b7be
Instruction Fuzzy Hash: 9D518432725F4087EBE4EF12E96835AB765FB89B89F448114DF8A03B54EF38D4948705

Function 00000254A3903E10 Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 271memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualAlloc.KERNEL32 ref: 00000254A3903E86
VirtualAlloc.KERNEL32 ref: 00000254A3903FAD
VirtualFree.KERNEL32 ref: 00000254A3903FC6
VirtualFree.KERNEL32 ref: 00000254A3903FDC
VirtualFree.KERNEL32 ref: 00000254A39040E0
VirtualFree.KERNEL32 ref: 00000254A390410A
VirtualFree.KERNEL32 ref: 00000254A390411B
VirtualFree.KERNEL32 ref: 00000254A3904006

Part of subcall function 00000254A3905070: _time64.MSVCRT ref: 00000254A39050E0
Part of subcall function 00000254A3905070: srand.MSVCRT ref: 00000254A39050E9
Part of subcall function 00000254A3905070: rand.MSVCRT ref: 00000254A3905100

VirtualFree.KERNEL32 ref: 00000254A39041CF
VirtualFree.KERNEL32 ref: 00000254A39041F9

Strings

:, xrefs: 00000254A3904180

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$Alloc$CriticalSection$EnterRead$Leave$Initialize_time64randsrand
String ID: :
API String ID: 3336294232-336475711
Opcode ID: 320fe126eff4e4079a3c9b3cb6761e39752f23555b150b95cbf71f8c5b9ac005
Instruction ID: cf65dc9eefd960cf81866a317901c938daaf050cad98734ba7024dedce5ae6a3
Opcode Fuzzy Hash: 320fe126eff4e4079a3c9b3cb6761e39752f23555b150b95cbf71f8c5b9ac005
Instruction Fuzzy Hash: 5EB1D622721F8082F7559F3AD828369A7A8FBCAF8DF049215EE8953745EF38C585C744

Function 00000254A3916200 Relevance: 15.1, APIs: 10, Instructions: 118clipboardmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A391624A
VirtualFree.KERNEL32 ref: 00000254A3916274
OpenClipboard.USER32 ref: 00000254A3916302
GlobalAlloc.KERNEL32 ref: 00000254A391631A
GlobalLock.KERNEL32 ref: 00000254A391632B
GlobalUnlock.KERNEL32 ref: 00000254A3916349
SetClipboardData.USER32 ref: 00000254A3916357
CloseClipboard.USER32 ref: 00000254A391635D
VirtualFree.KERNEL32 ref: 00000254A3916373
VirtualFree.KERNEL32 ref: 00000254A391639D

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$Free$ClipboardEnterGlobalRead$Leave$CloseDataInitializeLockOpenUnlock
String ID:
API String ID: 1362927461-0
Opcode ID: 14aff5e7281eb0515db2efaaa05bc0cffdcae11165ae12660c773d397ca1b196
Instruction ID: 91b762f32e335a18e621be032a5264ef45455f8f079526b69344c2247a24f6f9
Opcode Fuzzy Hash: 14aff5e7281eb0515db2efaaa05bc0cffdcae11165ae12660c773d397ca1b196
Instruction Fuzzy Hash: D2415421725E4087EBE4AF22E96832DA765FB89F89F448114CF8A43F54EF38D4958704

Function 00000254A3954130 Relevance: 15.1, APIs: 10, Instructions: 88COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000254A395415B
memset.NTDLL ref: 00000254A39541B0
RtlCaptureContext.KERNEL32 ref: 00000254A39541CC
RtlLookupFunctionEntry.KERNEL32 ref: 00000254A39541E4
RtlVirtualUnwind.KERNEL32 ref: 00000254A3954222
IsDebuggerPresent.KERNEL32 ref: 00000254A3954263
SetUnhandledExceptionFilter.KERNEL32 ref: 00000254A395426D
UnhandledExceptionFilter.KERNEL32 ref: 00000254A3954278
GetCurrentProcess.KERNEL32 ref: 00000254A3954290
TerminateProcess.KERNEL32 ref: 00000254A395429E

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentProcessUnhandled$CaptureContextCurrentDebuggerEntryFeatureFunctionLookupProcessorTerminateUnwindVirtualmemset
String ID:
API String ID: 2775880128-0
Opcode ID: e54aba6c139d99624c5fc929576f719923c2ee98f6e17d40784d5d8f2ef1c0b0
Instruction ID: 57ada5974f2e2f21ef570a3dd37eb60089520a2828b3543354566379538019a0
Opcode Fuzzy Hash: e54aba6c139d99624c5fc929576f719923c2ee98f6e17d40784d5d8f2ef1c0b0
Instruction Fuzzy Hash: 3A419022A58F8187E790DF60EC643AEB774F79974DF005229DA8D06A59EF38C1D8C704

Function 00000254A3330E10 Relevance: 13.9, Strings: 11, Instructions: 162COMMON

Download Yara Rule

Strings

:, xrefs: 00000254A33310A0
^:G:, xrefs: 00000254A3330F44
:Y:, xrefs: 00000254A333103F
:_:, xrefs: 00000254A3330EF0
Y::, xrefs: 00000254A3331046
\:^:, xrefs: 00000254A333104D
X:^:, xrefs: 00000254A3330EE8
A::, xrefs: 00000254A3330E4F
X:[:, xrefs: 00000254A3330FAA
Y:\:, xrefs: 00000254A3330ED8
\:[:, xrefs: 00000254A3330F9B

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID:
String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
API String ID: 0-2205580742
Opcode ID: d90148109c58263767cfb54190a6e54a75e0a48cc10efb8014eb7dc9dcd99103
Instruction ID: 735d654c1826384a2aa375a990052bd8b2c40d728d339a4327521d6e3b39b447
Opcode Fuzzy Hash: d90148109c58263767cfb54190a6e54a75e0a48cc10efb8014eb7dc9dcd99103
Instruction Fuzzy Hash: 9D91FE73D18BD4CAE311CF7999016ADBB70F79534CF10A249EB9466919EB78E580DF00

Function 00000254A391A7F0 Relevance: 13.7, APIs: 9, Instructions: 171COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32 ref: 00000254A391A865
VirtualFree.KERNEL32 ref: 00000254A391A88F
VirtualFree.KERNEL32 ref: 00000254A391A9EB
VirtualFree.KERNEL32 ref: 00000254A391AA15

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 7fc2db687d2db18f914aee26642cc12e023eef4ef06861d8de73db2aff1532c5
Instruction ID: 6576efd79ce25c1f30e17fc92ef1a6e84eaf92c1275c3375fb5de582549b1e48
Opcode Fuzzy Hash: 7fc2db687d2db18f914aee26642cc12e023eef4ef06861d8de73db2aff1532c5
Instruction Fuzzy Hash: 36517636316F0087EB94EF26E96826DA765FB89F8AF044014CF4653B54EF38D8E68705

Function 00000254A3916810 Relevance: 13.7, APIs: 9, Instructions: 162stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

NetUserEnum.NETAPI32 ref: 00000254A391688C
lstrlenW.KERNEL32 ref: 00000254A39168CE
NetApiBufferFree.NETAPI32 ref: 00000254A3916929
malloc.MSVCRT ref: 00000254A3916945
VirtualFree.KERNEL32 ref: 00000254A39169F7
VirtualFree.KERNEL32 ref: 00000254A3916A21
free.MSVCRT ref: 00000254A3916A2A
VirtualFree.KERNEL32 ref: 00000254A3916A54
VirtualFree.KERNEL32 ref: 00000254A3916A7E

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$AllocFree$EnterRead$Leave$BufferEnumInitializeUserfreelstrlenmalloc
String ID:
API String ID: 1638303497-0
Opcode ID: 65d04138dd441912b688736d00cc8846464790f10e23658900d22c822e7612d9
Instruction ID: d3e257b0f641335c72c91943c12616be40a5179e9f43889ad02a6e7aad995aab
Opcode Fuzzy Hash: 65d04138dd441912b688736d00cc8846464790f10e23658900d22c822e7612d9
Instruction Fuzzy Hash: DB614F36726B4087EBA4EF22E858359B7A8FB89B89F544115DF8A43754EF38C885C704

Function 00000254A3934F90 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 431COMMON

Download Yara Rule

APIs

shutdown.WS2_32 ref: 00000254A39354C9

Strings

free, xrefs: 00000254A3934FF7, 00000254A393511F, 00000254A39351B1, 00000254A3935543
closed before established, xrefs: 00000254A3935439
Closed before conn, xrefs: 00000254A393567F
general child recurse, xrefs: 00000254A3935089
lws_free, xrefs: 00000254A393504C
__lws_close_free_wsi, xrefs: 00000254A3935224, 00000254A393539B

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: shutdown
String ID: Closed before conn$__lws_close_free_wsi$closed before established$free$general child recurse$lws_free
API String ID: 2510479042-3708836321
Opcode ID: 08e54d8c4f49b821f84dbb9f750c2f7eac050acfd9fd38b8d044c5e5df543ded
Instruction ID: 1c87ceb15bcf8294945616743b29b8f3ac17f50b32f3800a43915718d93156ee
Opcode Fuzzy Hash: 08e54d8c4f49b821f84dbb9f750c2f7eac050acfd9fd38b8d044c5e5df543ded
Instruction Fuzzy Hash: BB12B8A22A0F8443FB95AF25D86C3E9A398F748B4DF484139DE494B2A5EB34C4C5C758

Function 00000254A3915A10 Relevance: 12.7, APIs: 10, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3915A64
VirtualFree.KERNEL32 ref: 00000254A3915A8E
VirtualAlloc.KERNEL32 ref: 00000254A3915AA5
VirtualFree.KERNEL32 ref: 00000254A3915B6E
VirtualFree.KERNEL32 ref: 00000254A3915B98
VirtualFree.KERNEL32 ref: 00000254A3915BBD
VirtualFree.KERNEL32 ref: 00000254A3915BE7
VirtualFree.KERNEL32 ref: 00000254A3915C0A
VirtualFree.KERNEL32 ref: 00000254A3915C34
VirtualFree.KERNEL32 ref: 00000254A3915C6C

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$AllocCriticalSection$EnterRead$Leave$Initialize
String ID:
API String ID: 529218107-0
Opcode ID: 9fb0c0ea2ccca51140455bb48a2ce0fc2871494495097355718dc06f0b780af2
Instruction ID: 2787fc7645874830570e255e9774387cc094f7cd220ea511690f2cdef31e3df1
Opcode Fuzzy Hash: 9fb0c0ea2ccca51140455bb48a2ce0fc2871494495097355718dc06f0b780af2
Instruction Fuzzy Hash: 20715635762F0087EBA4EF62E868619B3A9FB48F49F098114CF8A43B54EF39D494C704

Function 00000254A393A830 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 56networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00000254A393A85D
socket.WS2_32 ref: 00000254A393A87B
htonl.WS2_32 ref: 00000254A393A89A
bind.WS2_32 ref: 00000254A393A8C1
getsockname.WS2_32 ref: 00000254A393A8E6

Strings

lws_plat_pipe_create, xrefs: 00000254A393A900
%s: failed, xrefs: 00000254A393A90C

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: socket$bindgetsocknamehtonl
String ID: %s: failed$lws_plat_pipe_create
API String ID: 858234250-3012564250
Opcode ID: 3e06797931bfed255cca20481481bcc32daeca8df7cbd3f6bce5922f777b38ac
Instruction ID: f29a01d405fc0c07944112ee124d072eae4575b67fa592b45e5c450b40bc38d4
Opcode Fuzzy Hash: 3e06797931bfed255cca20481481bcc32daeca8df7cbd3f6bce5922f777b38ac
Instruction Fuzzy Hash: F2218332324E9083E7809F24E8583CA7768E748BADF481335DA69167E8EF34C9C5C749

Function 00000254A3922660 Relevance: 12.2, APIs: 8, Instructions: 180commemoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00000254A392267C
CoInitializeSecurity.OLE32 ref: 00000254A39226B5
CoCreateInstance.OLE32 ref: 00000254A39226EF
VariantInit.OLEAUT32 ref: 00000254A3922706
SysAllocString.OLEAUT32 ref: 00000254A39227DA
SysFreeString.OLEAUT32 ref: 00000254A39227FA
VirtualFree.KERNEL32 ref: 00000254A39228CD
VirtualFree.KERNEL32 ref: 00000254A39228F7

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Free$InitializeStringVirtual$AllocCreateInitInstanceSecurityVariant
String ID:
API String ID: 1458724981-0
Opcode ID: a98515b45f30c999fd584888f1fb30ce494dfbb6bf43997bf48997d6c69b94f9
Instruction ID: a0dd75e67a39d06202ce047ecd1a7adbd90cd2cad31b5408fb613273ef82f217
Opcode Fuzzy Hash: a98515b45f30c999fd584888f1fb30ce494dfbb6bf43997bf48997d6c69b94f9
Instruction Fuzzy Hash: 98817F32615F90C7EBA0DF66E85869DB7B9F788B99F014115EE8947B14EF38C185CB00

Function 00000254A39101A0 Relevance: 12.1, APIs: 8, Instructions: 109processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00000254A3910207
OpenProcessToken.ADVAPI32 ref: 00000254A3910219
GetLastError.KERNEL32 ref: 00000254A3910223
DuplicateTokenEx.ADVAPI32 ref: 00000254A3910251
SetTokenInformation.ADVAPI32 ref: 00000254A391026D
CreateEnvironmentBlock.USERENV ref: 00000254A3910282
CreateProcessAsUserW.ADVAPI32 ref: 00000254A39102CA
CreateProcessAsUserW.ADVAPI32 ref: 00000254A3910313

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Process$CreateToken$User$BlockCurrentDuplicateEnvironmentErrorInformationLastOpen
String ID:
API String ID: 2924300727-0
Opcode ID: 16c3d07ec9acde65d2acdc43e71b5766c09dd73d369f4e5c742e79ed460f77ea
Instruction ID: 89116439a9bc3b4323fd99a9f746ec79d8d8e2629d52bb5dba4bd39d03d8b961
Opcode Fuzzy Hash: 16c3d07ec9acde65d2acdc43e71b5766c09dd73d369f4e5c742e79ed460f77ea
Instruction Fuzzy Hash: 6F517E33B58B818AE790CFA1E85479DB7B9F38878CF4051159E8C67B18EB38C599C704

Function 00000254A391F1B0 Relevance: 12.1, APIs: 8, Instructions: 68clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00000254A391F209
Sleep.KERNEL32 ref: 00000254A391F216
GetLastError.KERNEL32 ref: 00000254A391F223
GlobalAlloc.KERNEL32 ref: 00000254A391F244
GlobalLock.KERNEL32 ref: 00000254A391F255
GlobalUnlock.KERNEL32 ref: 00000254A391F26C
SetClipboardData.USER32 ref: 00000254A391F27A
CloseClipboard.USER32 ref: 00000254A391F280

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataErrorLastLockOpenSleepUnlock
String ID:
API String ID: 3499886738-0
Opcode ID: 4b723c17ec104936dfe9111a579a009fbd450c761b1b8f465c76b1695d4f4b3d
Instruction ID: a2f21c07451927d2691b17da4920da2224c45ba8b60a1cb5ca59ba84f10d84cb
Opcode Fuzzy Hash: 4b723c17ec104936dfe9111a579a009fbd450c761b1b8f465c76b1695d4f4b3d
Instruction Fuzzy Hash: 4521A336334A5083D6D4EB51F89821DE3A4F78CF89F441125EA4753B54EF38C8D58B04

Function 00000254A3925AD0 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

EnumWindows.USER32 ref: 00000254A3925B00

Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034EB
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39034FD
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903510
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903527
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903556
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903568
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390357B
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903592
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035C1
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39035D3
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035E6
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035FD
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390362C
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A390363E
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903654

VirtualFree.KERNEL32 ref: 00000254A3925BC1
VirtualFree.KERNEL32 ref: 00000254A3925BEB
VirtualFree.KERNEL32 ref: 00000254A3925C01
VirtualFree.KERNEL32 ref: 00000254A3925C2B
VirtualFree.KERNEL32 ref: 00000254A3925C41
VirtualFree.KERNEL32 ref: 00000254A3925C6B

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSectionVirtual$Alloc$EnterRead$FreeLeave$EnumInitializeWindows
String ID:
API String ID: 3069422982-0
Opcode ID: 2f14e0084ba98971cf671132d363b589f5a96daa3a02d213b3cc35717dadf936
Instruction ID: 5c32e232163f52f19058ff3541a6950499bb065374c99b020eacb83be1324726
Opcode Fuzzy Hash: 2f14e0084ba98971cf671132d363b589f5a96daa3a02d213b3cc35717dadf936
Instruction Fuzzy Hash: 62415532726F0086EB94EF63E85C51EB7A9FB89F89F458014DE4A47B14EE39C585C704

Function 00000254A3914080 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95librarymemoryloaderCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A3914097
LoadLibraryW.KERNEL32 ref: 00000254A39140B5
GetProcAddress.KERNEL32 ref: 00000254A39140CD
FreeLibrary.KERNEL32 ref: 00000254A39140DD

Strings

user32.dll, xrefs: 00000254A39140A9
SetProcessDPIAware, xrefs: 00000254A39140C3

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Library$AddressAllocFreeLoadProcVirtual
String ID: SetProcessDPIAware$user32.dll
API String ID: 3041263384-1137607222
Opcode ID: 2d5c190feabc2370d29f15f15ffb36fb6660cf0171777757c6844a959bed01c6
Instruction ID: b5a90fcd743e89a87cce6fb4204a1ad309366ac609535a202387e46ea28a6439
Opcode Fuzzy Hash: 2d5c190feabc2370d29f15f15ffb36fb6660cf0171777757c6844a959bed01c6
Instruction Fuzzy Hash: A4515435662F8096EBC1AF10E8A93D9B3ACFB0874EF484636C94D16364FF388599C354

Function 00000254A391D2A0 Relevance: 10.5, APIs: 7, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(?,?,00001000,00000254A39024E2), ref: 00000254A391D2B7
OpenServiceW.ADVAPI32(?,?,00001000,00000254A39024E2), ref: 00000254A391D2E6
GetLastError.KERNEL32(?,?,00001000,00000254A39024E2), ref: 00000254A391D2F4
CloseServiceHandle.ADVAPI32(?,?,00001000,00000254A39024E2), ref: 00000254A391D2FF

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: OpenService$CloseErrorHandleLastManager
String ID:
API String ID: 2659350385-0
Opcode ID: be0d97674b5d01ddbad740662ad065086e858ccad381bdd0b1a3b9729ee50c89
Instruction ID: 8747faba50b735796287d7b19340c4d518b5a42460bdb5f93afdeadaff91233b
Opcode Fuzzy Hash: be0d97674b5d01ddbad740662ad065086e858ccad381bdd0b1a3b9729ee50c89
Instruction Fuzzy Hash: 76016D26769F0183EB846B66ED692699695AB4CBDEF0800248E1B06715FE38C4C98709

Function 00000254A39157C0 Relevance: 10.2, APIs: 8, Instructions: 151memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3915814
VirtualFree.KERNEL32 ref: 00000254A391583E
VirtualAlloc.KERNEL32 ref: 00000254A3915855
VirtualFree.KERNEL32 ref: 00000254A391594C
VirtualFree.KERNEL32 ref: 00000254A3915976
VirtualFree.KERNEL32 ref: 00000254A391599B
VirtualFree.KERNEL32 ref: 00000254A39159C5
VirtualFree.KERNEL32 ref: 00000254A39159EA

Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D3D
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D50
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D66
Part of subcall function 00000254A3904D20: DeleteCriticalSection.KERNEL32 ref: 00000254A3904D8D
Part of subcall function 00000254A3904D20: VirtualFree.KERNEL32 ref: 00000254A3904DBA

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: 2398d3e56b10dcafaaf99b981a30711067a2213169235feba3d334b158cf1ca3
Instruction ID: 63e577d1f260ec4c9c76986832e7e903939a159ed91a4c7ec4a82eb80aa829c8
Opcode Fuzzy Hash: 2398d3e56b10dcafaaf99b981a30711067a2213169235feba3d334b158cf1ca3
Instruction Fuzzy Hash: 4B616335322F4087EBA4EF62E868659B3A9FB48B49F458125CF8A03B14FF38D594C744

Function 00000254A3915340 Relevance: 10.1, APIs: 8, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3915394
VirtualFree.KERNEL32 ref: 00000254A39153BE
VirtualAlloc.KERNEL32 ref: 00000254A39153D5
VirtualFree.KERNEL32 ref: 00000254A39154C1
VirtualFree.KERNEL32 ref: 00000254A39154EB
VirtualFree.KERNEL32 ref: 00000254A3915510
VirtualFree.KERNEL32 ref: 00000254A391553A
VirtualFree.KERNEL32 ref: 00000254A391555F

Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D3D
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D50
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D66
Part of subcall function 00000254A3904D20: DeleteCriticalSection.KERNEL32 ref: 00000254A3904D8D
Part of subcall function 00000254A3904D20: VirtualFree.KERNEL32 ref: 00000254A3904DBA

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: a2f3d28db6f5c7a542f089183b464a35e1dffb07d7f729c69724856baa88be71
Instruction ID: 7f1bdad9b733879046667e75b9fb0fb0627dd54db09c7c8e7a04bf885e2f58c9
Opcode Fuzzy Hash: a2f3d28db6f5c7a542f089183b464a35e1dffb07d7f729c69724856baa88be71
Instruction Fuzzy Hash: A1617635366F4087EBA4EF12E86861AB3A9FB48B89F058115DF8E03B14EF38D595C705

Function 00000254A3914700 Relevance: 10.1, APIs: 8, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3914754
VirtualFree.KERNEL32 ref: 00000254A391477E
VirtualAlloc.KERNEL32 ref: 00000254A3914795
VirtualFree.KERNEL32 ref: 00000254A391486B
VirtualFree.KERNEL32 ref: 00000254A3914895
VirtualFree.KERNEL32 ref: 00000254A39148BA
VirtualFree.KERNEL32 ref: 00000254A39148E4
VirtualFree.KERNEL32 ref: 00000254A3914909

Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D3D
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D50
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D66
Part of subcall function 00000254A3904D20: DeleteCriticalSection.KERNEL32 ref: 00000254A3904D8D
Part of subcall function 00000254A3904D20: VirtualFree.KERNEL32 ref: 00000254A3904DBA

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: 80f34942a8f8c4bc9a5d5aa5a2718efda92b851cc4559cc26846c331e5552837
Instruction ID: e23c3b60ed79dc9f86998ad4190ab07b9bd7e64e4b005dc4a3f0cdbaf7612956
Opcode Fuzzy Hash: 80f34942a8f8c4bc9a5d5aa5a2718efda92b851cc4559cc26846c331e5552837
Instruction Fuzzy Hash: 47516635362F4087EBA4EF22E868619B3A9FB4CB49F458124DF8A53B14EF38D594C744

Function 00000254A3914D90 Relevance: 10.1, APIs: 8, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3914DE4
VirtualFree.KERNEL32 ref: 00000254A3914E0E
VirtualAlloc.KERNEL32 ref: 00000254A3914E25
VirtualFree.KERNEL32 ref: 00000254A3914EFB
VirtualFree.KERNEL32 ref: 00000254A3914F25
VirtualFree.KERNEL32 ref: 00000254A3914F4A
VirtualFree.KERNEL32 ref: 00000254A3914F74
VirtualFree.KERNEL32 ref: 00000254A3914F99

Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D3D
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D50
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D66
Part of subcall function 00000254A3904D20: DeleteCriticalSection.KERNEL32 ref: 00000254A3904D8D
Part of subcall function 00000254A3904D20: VirtualFree.KERNEL32 ref: 00000254A3904DBA

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: f7de3ef79a839558e92453357d372ecf487bd6df2e347dd270595c6328062898
Instruction ID: d25977a8d17374439dbd7b0f9bbd8f45851ff59ebfefb5a4c4c6fd077eafc461
Opcode Fuzzy Hash: f7de3ef79a839558e92453357d372ecf487bd6df2e347dd270595c6328062898
Instruction Fuzzy Hash: CB516835722F4087EBA4EF22E868619B3A9FB4CB49F448115DF8A43B14EF38D595C744

Function 00000254A3915590 Relevance: 10.1, APIs: 8, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A39155E4
VirtualFree.KERNEL32 ref: 00000254A391560E
VirtualAlloc.KERNEL32 ref: 00000254A3915625
VirtualFree.KERNEL32 ref: 00000254A39156FB
VirtualFree.KERNEL32 ref: 00000254A3915725
VirtualFree.KERNEL32 ref: 00000254A391574A
VirtualFree.KERNEL32 ref: 00000254A3915774
VirtualFree.KERNEL32 ref: 00000254A3915799

Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D3D
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D50
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D66
Part of subcall function 00000254A3904D20: DeleteCriticalSection.KERNEL32 ref: 00000254A3904D8D
Part of subcall function 00000254A3904D20: VirtualFree.KERNEL32 ref: 00000254A3904DBA

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: c4c301c77432ef5703f60f68f188faa43b288a4f8a8c10df986e60a82f244a90
Instruction ID: 1d1a57768c370c04873faf5759e77464e6b7d3a7615a62344f2fbacc8fdcd942
Opcode Fuzzy Hash: c4c301c77432ef5703f60f68f188faa43b288a4f8a8c10df986e60a82f244a90
Instruction Fuzzy Hash: 88518B32322F0087EBA4EF22E858619B3A9FB49B49F458115DF8E43B14EF38D594C744

Function 00000254A3914B60 Relevance: 10.1, APIs: 8, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3914BB4

Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D3D
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D50
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D66
Part of subcall function 00000254A3904D20: DeleteCriticalSection.KERNEL32 ref: 00000254A3904D8D
Part of subcall function 00000254A3904D20: VirtualFree.KERNEL32 ref: 00000254A3904DBA

VirtualFree.KERNEL32 ref: 00000254A3914BDE
VirtualAlloc.KERNEL32 ref: 00000254A3914BF5
VirtualFree.KERNEL32 ref: 00000254A3914CC0
VirtualFree.KERNEL32 ref: 00000254A3914CEA
VirtualFree.KERNEL32 ref: 00000254A3914D0F
VirtualFree.KERNEL32 ref: 00000254A3914D39
VirtualFree.KERNEL32 ref: 00000254A3914D5E

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: 2bfe56d21f156cdcea5c1fa0c3f246f0bbc4458051a62838ba9f3e51130bed6a
Instruction ID: a554c3203d2d774c261704675566ec4226408e2267f7dc142cebc065c77998b9
Opcode Fuzzy Hash: 2bfe56d21f156cdcea5c1fa0c3f246f0bbc4458051a62838ba9f3e51130bed6a
Instruction Fuzzy Hash: 42516535762F0087EBA4EF22E868619B3A9FB4CB49F058114DF8A43B14EF38D595C744

Function 00000254A3914930 Relevance: 10.1, APIs: 8, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3914984

Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D3D
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D50
Part of subcall function 00000254A3904D20: CloseHandle.KERNEL32 ref: 00000254A3904D66
Part of subcall function 00000254A3904D20: DeleteCriticalSection.KERNEL32 ref: 00000254A3904D8D
Part of subcall function 00000254A3904D20: VirtualFree.KERNEL32 ref: 00000254A3904DBA

VirtualFree.KERNEL32 ref: 00000254A39149AE
VirtualAlloc.KERNEL32 ref: 00000254A39149C5
VirtualFree.KERNEL32 ref: 00000254A3914A90
VirtualFree.KERNEL32 ref: 00000254A3914ABA
VirtualFree.KERNEL32 ref: 00000254A3914ADF
VirtualFree.KERNEL32 ref: 00000254A3914B09
VirtualFree.KERNEL32 ref: 00000254A3914B2E

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
String ID:
API String ID: 948184506-0
Opcode ID: d577543977fa0da55da5beeaf9c154f68529e181afdaea789ff489f112afd6f9
Instruction ID: 30b8af72f8967029885dc14e99c6a0d056a9a8f55ed5ee1af54024b8bed1028c
Opcode Fuzzy Hash: d577543977fa0da55da5beeaf9c154f68529e181afdaea789ff489f112afd6f9
Instruction Fuzzy Hash: FF515635766F4087EBA4EF22E86861AB3A9FB4CB49F058114DF8A43B14EF38D594C744

Function 00000254A3902830 Relevance: 7.6, APIs: 5, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,00001000,00000254A390228E), ref: 00000254A390284A
GetModuleHandleW.KERNEL32(?,?,00001000,00000254A390228E), ref: 00000254A390285D
GetModuleHandleW.KERNEL32(?,?,00001000,00000254A390228E), ref: 00000254A3902888
VirtualProtect.KERNEL32(?,?,00001000,00000254A390228E), ref: 00000254A39028BC
VirtualProtect.KERNEL32(?,?,00001000,00000254A390228E), ref: 00000254A39028D7

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: HandleModule$ProtectVirtual
String ID:
API String ID: 3544755384-0
Opcode ID: f336a93fce01c34d2cdd8dc85c5afcd615c05bd6414b2de0b853565f956b5444
Instruction ID: e2025a3d241347852e6d9f45c9db6a90d48b169b768a3a76c2a00077417eb921
Opcode Fuzzy Hash: f336a93fce01c34d2cdd8dc85c5afcd615c05bd6414b2de0b853565f956b5444
Instruction Fuzzy Hash: 4A213B36766B4083FB94AF15F8A8359B7A8F749B8EF444025DA8A03754EB38C4D5C744

Function 00000254A39267B8 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 410COMMON

Download Yara Rule

Strings

unknown header flags set, xrefs: 00000254A39267FF
header crc mismatch, xrefs: 00000254A3926C50
unknown compression method, xrefs: 00000254A3926739

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID:
String ID: header crc mismatch$unknown compression method$unknown header flags set
API String ID: 0-1578397619
Opcode ID: e25e35bceeda68fd401eb5c3d57224b9677d2a7e1ffcce3a57853ce86f0d9926
Instruction ID: b4386dd0f4d785920b97af078f22e969ff39a2f1b2ba1ab2053a5c958da547a0
Opcode Fuzzy Hash: e25e35bceeda68fd401eb5c3d57224b9677d2a7e1ffcce3a57853ce86f0d9926
Instruction Fuzzy Hash: 6302CE72660E508BF798EE66C9A8368BBA8F31474DF054518CF495BF80E7B4D9A0C748

Function 00000254A390DDD0 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00000254A390DE1C
memset.NTDLL ref: 00000254A390DE63
FindFirstFileW.KERNEL32 ref: 00000254A390DE74
free.MSVCRT ref: 00000254A390DE96

Part of subcall function 00000254A390DC50: VirtualFree.KERNEL32 ref: 00000254A390DCEA
Part of subcall function 00000254A390DC50: VirtualFree.KERNEL32 ref: 00000254A390DD14
Part of subcall function 00000254A390DC50: CreateThread.KERNEL32 ref: 00000254A390DD40
Part of subcall function 00000254A390DC50: IsBadReadPtr.KERNEL32 ref: 00000254A390DD64
Part of subcall function 00000254A390DC50: EnterCriticalSection.KERNEL32 ref: 00000254A390DD77
Part of subcall function 00000254A390DC50: VirtualAlloc.KERNEL32 ref: 00000254A390DD8E
Part of subcall function 00000254A390DC50: LeaveCriticalSection.KERNEL32 ref: 00000254A390DDB2

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalFreeSection$AllocCreateEnterFileFindFirstLeaveReadThreadfreemallocmemset
String ID:
API String ID: 4255097067-0
Opcode ID: 93b94569c2330fb7e55a1628781f64fdf0fd3d0c7a61c3191a88b0bb3e2625d6
Instruction ID: d4599eb2b4ec6e2ea5c4cecca17b957a9b47f0b1a70a6e9ae2a0e2b7776f4fff
Opcode Fuzzy Hash: 93b94569c2330fb7e55a1628781f64fdf0fd3d0c7a61c3191a88b0bb3e2625d6
Instruction Fuzzy Hash: B7218032315A8082EBA0AF21D85C79DA3A8F749FC9F544131DE9D47748EF39CA89CB40

Function 00000254A3352F98 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000254A3352FFC

Strings

gfffffff, xrefs: 00000254A3353299

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
Instruction ID: 30fee2d5807d453b6a588d841feeedf77bfa83e5d18ed609280c2a3a8963a1f2
Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
Instruction Fuzzy Hash: 4D918A63759BC48AEF51EB2DD8283ADE7A4A758BDDF058062DE4947381FA3DC546C300

Function 0000000180023B98 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180023BFC

Strings

gfffffff, xrefs: 0000000180023E99

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701

Function 00000254A39038D0 Relevance: 5.2, APIs: 4, Instructions: 215memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A3903A07
VirtualAlloc.KERNEL32 ref: 00000254A3903A27
VirtualFree.KERNEL32 ref: 00000254A3903A63
VirtualFree.KERNEL32 ref: 00000254A3903B36

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 04065c5e2a1c05127fb750dc6d994f61d80097cc70ac26d1f1ef4872fede59b7
Instruction ID: 446d0a648d240b6df0d54d629337987acac514065286adaaf483a5fc5e8c8262
Opcode Fuzzy Hash: 04065c5e2a1c05127fb750dc6d994f61d80097cc70ac26d1f1ef4872fede59b7
Instruction Fuzzy Hash: 3E810922720F4143EB549B36999827EA359FBCAB8DF009715EE8A53B40EF38D1C5C704

Function 00000254A3917E20 Relevance: 4.5, APIs: 3, Instructions: 36pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32 ref: 00000254A3917E5B
ConnectNamedPipe.KERNEL32 ref: 00000254A3917E81
GetLastError.KERNEL32 ref: 00000254A3917E8B

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: NamedPipe$ConnectCreateErrorLast
String ID:
API String ID: 3851520242-0
Opcode ID: 5202d77b4504b343c25026c585eb62c568917b05fbb34b8c84aa117687ab1fdd
Instruction ID: e7479072dd0889cb132a09095c7746a4853d29b1c3140d192bb840830f6765ee
Opcode Fuzzy Hash: 5202d77b4504b343c25026c585eb62c568917b05fbb34b8c84aa117687ab1fdd
Instruction Fuzzy Hash: EF01B132318A4083D7509B16FD08259F6E8EB8C7F9F044220EA6943BA4EBB8C8D58B04

Function 00000254A391E2EE Relevance: 3.0, APIs: 2, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32 ref: 00000254A391E10C
GetDeviceCaps.GDI32 ref: 00000254A391E11A
GetDeviceCaps.GDI32 ref: 00000254A391E128
GetDeviceCaps.GDI32 ref: 00000254A391E156
MapVirtualKeyW.USER32 ref: 00000254A391E1BC
keybd_event.USER32 ref: 00000254A391E1D0
mouse_event.USER32 ref: 00000254A391E340
BlockInput.USER32 ref: 00000254A391E355

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CapsDevice$BlockInputVirtualkeybd_eventmouse_event
String ID:
API String ID: 1381131145-0
Opcode ID: 5ddf8cd65dce4eeba2004f466f6a1b8963dd5604d58de57280524a84e7bb8b73
Instruction ID: 37f4c12ee0b52adb1415b07cc5fe19bc947cb8128d49e89e03f753ca9d9323f2
Opcode Fuzzy Hash: 5ddf8cd65dce4eeba2004f466f6a1b8963dd5604d58de57280524a84e7bb8b73
Instruction Fuzzy Hash: BEF08222B14EC487D3A19B15B81876AB3AAFB8C759F140016CF8D43654DF38C4C68B05

Function 00000254A3903330 Relevance: 64.1, APIs: 51, Instructions: 358memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
IsBadReadPtr.KERNEL32 ref: 00000254A3903427
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
IsBadReadPtr.KERNEL32 ref: 00000254A3903492
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034EB
IsBadReadPtr.KERNEL32 ref: 00000254A39034FD
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903510
VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903527
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903556
IsBadReadPtr.KERNEL32 ref: 00000254A3903568
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390357B
VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903592
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035C1
IsBadReadPtr.KERNEL32 ref: 00000254A39035D3
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035E6
VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035FD
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390362C
IsBadReadPtr.KERNEL32 ref: 00000254A390363E
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903654
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903678
IsBadReadPtr.KERNEL32 ref: 00000254A3903691
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39036A7
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39036CB
IsBadReadPtr.KERNEL32 ref: 00000254A39036E4
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39036FA
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903726
IsBadReadPtr.KERNEL32 ref: 00000254A390373F
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903755
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903779
IsBadReadPtr.KERNEL32 ref: 00000254A3903792
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39037A8
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39037CC
IsBadReadPtr.KERNEL32 ref: 00000254A39037E5
EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39037FB
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903826
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390384B
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390385D
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390386F
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903881
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903893
LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39038A5

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$Leave$EnterRead$AllocVirtual$Initialize
String ID:
API String ID: 3051317124-0
Opcode ID: 6ebc8dea4b0ea736fefb6cc6a4b904e09ee724be14cbd8c2d79b4aff0744f4dc
Instruction ID: 3f502c93652bf21101c1a7fb719a571703edd0d3b9cbb7d6bfb855326255e175
Opcode Fuzzy Hash: 6ebc8dea4b0ea736fefb6cc6a4b904e09ee724be14cbd8c2d79b4aff0744f4dc
Instruction Fuzzy Hash: 01F1F821364F4087EB95AF21EC68369A7ACFB59B8EF488425DE4A47754EF38C5C8C305

Function 00000254A3910FA0 Relevance: 45.6, APIs: 25, Strings: 1, Instructions: 113filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3910E40: lstrlenW.KERNEL32 ref: 00000254A3910E50
Part of subcall function 00000254A3910E40: WideCharToMultiByte.KERNEL32 ref: 00000254A3910E7A
Part of subcall function 00000254A3910E40: VirtualAlloc.KERNEL32 ref: 00000254A3910E95
Part of subcall function 00000254A3910E40: lstrlenW.KERNEL32 ref: 00000254A3910EA6
Part of subcall function 00000254A3910E40: memset.NTDLL ref: 00000254A3910ECB
Part of subcall function 00000254A3910E40: lstrlenA.KERNEL32 ref: 00000254A3910ED3
Part of subcall function 00000254A3910E40: VirtualFree.KERNEL32 ref: 00000254A3910EE9

memset.NTDLL ref: 00000254A3910FE4
wsprintfW.USER32 ref: 00000254A3911005
memset.NTDLL ref: 00000254A391101A
wsprintfW.USER32 ref: 00000254A391103B
memset.NTDLL ref: 00000254A3911050
wsprintfW.USER32 ref: 00000254A3911071
memset.NTDLL ref: 00000254A3911084
lstrcpyW.KERNEL32 ref: 00000254A3911091
memset.NTDLL ref: 00000254A39110A6
lstrcpyW.KERNEL32 ref: 00000254A39110B7
PathRemoveFileSpecW.SHLWAPI ref: 00000254A39110C2
memset.NTDLL ref: 00000254A39110D7
wsprintfW.USER32 ref: 00000254A39110F6
memset.NTDLL ref: 00000254A391110B
wsprintfW.USER32 ref: 00000254A391112A
MoveFileW.KERNEL32 ref: 00000254A391113E
DeleteFileW.KERNEL32 ref: 00000254A391114B
SetFileAttributesW.KERNEL32 ref: 00000254A391115D
MoveFileW.KERNEL32 ref: 00000254A391117B
DeleteFileW.KERNEL32 ref: 00000254A3911188
SetFileAttributesW.KERNEL32 ref: 00000254A391119A
CopyFileW.KERNEL32 ref: 00000254A39111B1
MoveFileW.KERNEL32 ref: 00000254A39111C5
DeleteFileW.KERNEL32 ref: 00000254A39111D2
SetFileAttributesW.KERNEL32 ref: 00000254A39111E4

Strings

%s\%s, xrefs: 00000254A3910FF7, 00000254A391102D, 00000254A3911063, 00000254A39110E8, 00000254A391111C

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: File$memset$wsprintf$AttributesDeleteMovelstrlen$Virtuallstrcpy$AllocByteCharCopyFreeMultiPathRemoveSpecWide
String ID: %s\%s
API String ID: 467509054-4073750446
Opcode ID: 5c9f1cf80f21698ae4ba0fa0fdced245dadeac4cbc76957ae87b01c586a556f9
Instruction ID: 8d6b7c6b03708715a6ba12ab6181eef36816752bae7a59ae40c8adede1078c84
Opcode Fuzzy Hash: 5c9f1cf80f21698ae4ba0fa0fdced245dadeac4cbc76957ae87b01c586a556f9
Instruction Fuzzy Hash: 98518F22364E86A6EB60EF60DC687D96769F78874EF804012C64D4B568FF38C78EC741

Function 00000254A3922DE0 Relevance: 30.1, APIs: 20, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922DF7
VirtualAlloc.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922E26
InitializeCriticalSection.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922E38
CreateEventW.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922E5C
IsBadReadPtr.KERNEL32 ref: 00000254A3922E72
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922E85
VirtualAlloc.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922E9C
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922ECB
IsBadReadPtr.KERNEL32 ref: 00000254A3922EDD
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922EF0
VirtualAlloc.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922F07
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922F36
IsBadReadPtr.KERNEL32 ref: 00000254A3922F48
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922F5B
VirtualAlloc.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922F72
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922FA1
IsBadReadPtr.KERNEL32 ref: 00000254A3922FB3
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922FC6
VirtualAlloc.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A3922FDD
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A39048F0), ref: 00000254A392300C

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$AllocVirtual$EnterLeaveRead$CreateEventInitialize
String ID:
API String ID: 3948381741-0
Opcode ID: 0c97ca10ba80cdc1344fd5c304f31d40c1b2c9626c21ca69a6339e3747ea0fdc
Instruction ID: c3e85440f316c34a73a89f5f9b0d7275c8f9e4affaac1d318ea5f42820f43daa
Opcode Fuzzy Hash: 0c97ca10ba80cdc1344fd5c304f31d40c1b2c9626c21ca69a6339e3747ea0fdc
Instruction Fuzzy Hash: 65616E31361F4083E785AF11ED68359B7A8F748B8AF448425CA5A47B94EF34C5E9C305

Function 00000254A390FF40 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 141processCOMMON

Download Yara Rule

APIs

WTSQueryUserToken.WTSAPI32 ref: 00000254A390FFC6
GetLastError.KERNEL32 ref: 00000254A390FFD0
DuplicateTokenEx.ADVAPI32 ref: 00000254A3910000
ConvertStringSidToSidW.ADVAPI32 ref: 00000254A3910015
GetLengthSid.ADVAPI32 ref: 00000254A391002E
SetTokenInformation.ADVAPI32 ref: 00000254A3910046
CreateEnvironmentBlock.USERENV ref: 00000254A3910059
CreateProcessAsUserW.ADVAPI32 ref: 00000254A39100A1
CreateProcessAsUserW.ADVAPI32 ref: 00000254A39100EC
GetLastError.KERNEL32 ref: 00000254A39100F6
CloseHandle.KERNEL32 ref: 00000254A3910108
CloseHandle.KERNEL32 ref: 00000254A391011C

Strings

S-1-16-12288, xrefs: 00000254A391000E

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CreateTokenUser$CloseErrorHandleLastProcess$BlockConvertDuplicateEnvironmentInformationLengthQueryString
String ID: S-1-16-12288
API String ID: 1141289200-1849704789
Opcode ID: caeb1a379e724c93c67c04a80382c5ed4d88f45cfcb5109627a83da083652068
Instruction ID: ec67469934ab8b17a92f91def86102d7a0e88e245d1fe77c47fd8f8bd1a97223
Opcode Fuzzy Hash: caeb1a379e724c93c67c04a80382c5ed4d88f45cfcb5109627a83da083652068
Instruction Fuzzy Hash: 8B611B32658F4087EB909F61E85429EB7B9F78878DF104215EE8963B28EF38C5D5CB04

Function 00000254A392D3D0 Relevance: 27.5, APIs: 1, Strings: 17, Instructions: 460COMMON

Download Yara Rule

APIs

Part of subcall function 00000254A393A990: WSAStartup.WS2_32 ref: 00000254A393A9A1

memset.NTDLL ref: 00000254A392D7E4

Strings

wsi, xrefs: 00000254A392D55A
Failed to create default vhost, xrefs: 00000254A392DA5F
fds table, xrefs: 00000254A392D863
info->ka_interval can't be 0 if ka_time used, xrefs: 00000254A392D831
wsisrv, xrefs: 00000254A392D576
NSC, xrefs: 00000254A392DAC1
Failed to init cookiejar, xrefs: 00000254A392DB69
lws_create_context, xrefs: 00000254A392D844, 00000254A392DA7C, 00000254A392DBE9
unknown, xrefs: 00000254A392D9D2
system, xrefs: 00000254A392D9E4
OOM allocating %d fds, xrefs: 00000254A392DBDD
OOM, xrefs: 00000254A392DC20
lws_free, xrefs: 00000254A392DC0D
prot_init, xrefs: 00000254A392DA00
mux, xrefs: 00000254A392D584
wsicli, xrefs: 00000254A392D592
context, xrefs: 00000254A392D46F

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Startupmemset
String ID: Failed to create default vhost$Failed to init cookiejar$NSC$OOM$OOM allocating %d fds$context$fds table$info->ka_interval can't be 0 if ka_time used$lws_create_context$lws_free$mux$prot_init$system$unknown$wsi$wsicli$wsisrv
API String ID: 1873301828-3289243303
Opcode ID: 16ff8c9513e61e8d05d3a42471cc09235c13313f4bf578ebfff565fe686a6f90
Instruction ID: fd46645be865bf70a72c9722febf791180c85e37f457a0f45f8ca58c441cb85d
Opcode Fuzzy Hash: 16ff8c9513e61e8d05d3a42471cc09235c13313f4bf578ebfff565fe686a6f90
Instruction Fuzzy Hash: 1D325B72251F8086EB94EF65E8543DAB3A8F748B8DF4441369E9D4B3A4EF38D180C754

Function 00000254A391D5A0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 124memorycomCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00000254A391D62F
CoCreateInstance.OLE32 ref: 00000254A391D654
CoCreateInstance.OLE32 ref: 00000254A391D68A
CoUninitialize.OLE32 ref: 00000254A391D6A8
SysAllocString.OLEAUT32 ref: 00000254A391D6D0
SysAllocString.OLEAUT32 ref: 00000254A391D6E0
SysAllocString.OLEAUT32 ref: 00000254A391D6F0
SysFreeString.OLEAUT32 ref: 00000254A391D76A
SysFreeString.OLEAUT32 ref: 00000254A391D773
SysFreeString.OLEAUT32 ref: 00000254A391D77C
CoUninitialize.OLE32 ref: 00000254A391D7A0

Strings

Block All Outbound, xrefs: 00000254A391D6BF
BlockAllGroup, xrefs: 00000254A391D6E6
i33L, xrefs: 00000254A391D5B7
Block all outbound traffic, xrefs: 00000254A391D6D6

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: String$AllocFree$CreateInstanceUninitialize$Initialize
String ID: Block All Outbound$Block all outbound traffic$BlockAllGroup$i33L
API String ID: 2562062002-1644180588
Opcode ID: 8deb0ea224b165b1f84c5336fa06fe8aa485b50349956e7146a47af700a7992b
Instruction ID: 4cbda016139edc7a827ee534549791177b180f5d9492db7781c8fe3ec1b945a3
Opcode Fuzzy Hash: 8deb0ea224b165b1f84c5336fa06fe8aa485b50349956e7146a47af700a7992b
Instruction Fuzzy Hash: CE511276711B448AEB40EF26D89829C7BB4F788B8DF108526DE4E53B28DF38C599C705

Function 00000254A39136D0 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00000254A39136F4
ProcessIdToSessionId.KERNEL32 ref: 00000254A3913704
memset.NTDLL ref: 00000254A3913717
wsprintfW.USER32 ref: 00000254A3913734
GetCurrentProcess.KERNEL32 ref: 00000254A3913748
TerminateProcess.KERNEL32 ref: 00000254A3913753
memset.NTDLL ref: 00000254A3913769
wsprintfW.USER32 ref: 00000254A3913789
GetCurrentProcess.KERNEL32 ref: 00000254A39137A8
TerminateProcess.KERNEL32 ref: 00000254A39137B3
WaitForSingleObject.KERNEL32 ref: 00000254A39137CA
GetCurrentProcess.KERNEL32 ref: 00000254A39137D4
TerminateProcess.KERNEL32 ref: 00000254A39137DF

Strings

\\.\Pipe\%d_Local_%d, xrefs: 00000254A3913776
\\.\Pipe\%d_pipe%d, xrefs: 00000254A3913724

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Process$Current$Terminate$memsetwsprintf$ObjectSessionSingleWait
String ID: \\.\Pipe\%d_Local_%d$\\.\Pipe\%d_pipe%d
API String ID: 1631145905-82101934
Opcode ID: ab10d55d452ab6b41233c7c6c5d6ad339ec73cd5f29839cb69e3900e23e60465
Instruction ID: e24a5f5265f29b59491b7b3e71c943aa5b7b66f525db0e4e22caf60f0f834d76
Opcode Fuzzy Hash: ab10d55d452ab6b41233c7c6c5d6ad339ec73cd5f29839cb69e3900e23e60465
Instruction Fuzzy Hash: 67318562364E4183EBA4AF21EC6C359A769F788F8EF044024C94A47668FF3CC5C9CB15

Function 00000254A3911760 Relevance: 25.7, APIs: 17, Instructions: 151networkmemorysleepCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 00000254A3911780
setsockopt.WS2_32 ref: 00000254A39117DC
setsockopt.WS2_32 ref: 00000254A3911800
setsockopt.WS2_32 ref: 00000254A391182B
WSAIoctl.WS2_32 ref: 00000254A3911881
setsockopt.WS2_32 ref: 00000254A39118B0

Part of subcall function 00000254A3904410: VirtualAlloc.KERNEL32 ref: 00000254A390442D
Part of subcall function 00000254A3904410: VirtualAlloc.KERNEL32 ref: 00000254A390445F
Part of subcall function 00000254A3904410: InitializeCriticalSection.KERNEL32 ref: 00000254A3904474
Part of subcall function 00000254A3904410: IsBadReadPtr.KERNEL32 ref: 00000254A3904490
Part of subcall function 00000254A3904410: EnterCriticalSection.KERNEL32 ref: 00000254A39044A3
Part of subcall function 00000254A3904410: VirtualAlloc.KERNEL32 ref: 00000254A39044BA
Part of subcall function 00000254A3904410: LeaveCriticalSection.KERNEL32 ref: 00000254A39044E9
Part of subcall function 00000254A3904410: IsBadReadPtr.KERNEL32 ref: 00000254A39044FE
Part of subcall function 00000254A3904410: EnterCriticalSection.KERNEL32 ref: 00000254A3904511
Part of subcall function 00000254A3904410: VirtualAlloc.KERNEL32 ref: 00000254A3904528
Part of subcall function 00000254A3904410: LeaveCriticalSection.KERNEL32 ref: 00000254A3904557
Part of subcall function 00000254A3904410: IsBadReadPtr.KERNEL32 ref: 00000254A390456C
Part of subcall function 00000254A3904410: EnterCriticalSection.KERNEL32 ref: 00000254A390457F
Part of subcall function 00000254A3904410: VirtualAlloc.KERNEL32 ref: 00000254A3904596

VirtualAlloc.KERNEL32 ref: 00000254A39118D5
CreateThread.KERNEL32 ref: 00000254A3911927
IsBadReadPtr.KERNEL32 ref: 00000254A391193F
EnterCriticalSection.KERNEL32 ref: 00000254A3911952
VirtualAlloc.KERNEL32 ref: 00000254A3911968
LeaveCriticalSection.KERNEL32 ref: 00000254A391198C
CancelIo.KERNEL32 ref: 00000254A391199F
closesocket.WS2_32 ref: 00000254A39119A8
VirtualFree.KERNEL32 ref: 00000254A39119B9
Sleep.KERNEL32 ref: 00000254A39119C2
accept.WS2_32 ref: 00000254A39119D1

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSectionVirtual$Alloc$EnterReadsetsockopt$Leave$accept$CancelCreateFreeInitializeIoctlSleepThreadclosesocket
String ID:
API String ID: 241427152-0
Opcode ID: 8054d77f63a71bffb60c6de152fa376652fa5a9bac917f7a9e8e23a3707f0d6a
Instruction ID: 22d5578b11f1209b2a390fec80e1a7be121e8937d63b2329a5cb22a40fac33f7
Opcode Fuzzy Hash: 8054d77f63a71bffb60c6de152fa376652fa5a9bac917f7a9e8e23a3707f0d6a
Instruction Fuzzy Hash: 6A617E72215F8087E7A49F11E82875AB7A8F788B8DF044125DE8A07B54EF3DC989CB05

Function 00000254A3924DA0 Relevance: 25.6, APIs: 17, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924DB7
InitializeCriticalSection.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924DEF
CreateEventW.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924E01
VirtualAlloc.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924E1C
InitializeCriticalSection.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924E2E
IsBadReadPtr.KERNEL32 ref: 00000254A3924E49
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924E5C
VirtualAlloc.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924E73
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924EA2
IsBadReadPtr.KERNEL32 ref: 00000254A3924EB4
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924EC7
VirtualAlloc.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924EDE
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924F0D
IsBadReadPtr.KERNEL32 ref: 00000254A3924F1F
EnterCriticalSection.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924F32
VirtualAlloc.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924F49
LeaveCriticalSection.KERNEL32(?,?,00000000,00000254A3925130,?,?,00000000,00000254A3904AAC), ref: 00000254A3924F78

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$AllocVirtual$EnterLeaveRead$Initialize$CreateEvent
String ID:
API String ID: 3934889794-0
Opcode ID: d745ae7875c7a808b0e5a312b163fd60a6495f42bc51f35149f49f448c640802
Instruction ID: 3758ccd399d9e829ddacbdbb92b1f6e521e261527822bd0853ab1220d0632640
Opcode Fuzzy Hash: d745ae7875c7a808b0e5a312b163fd60a6495f42bc51f35149f49f448c640802
Instruction Fuzzy Hash: F3516F32325F4083E7859F21ED68369B7A8F748B8EF408525DA4A47794EF38D5E8C345

Function 00000254A3920F20 Relevance: 25.6, APIs: 17, Instructions: 104pipethreadCOMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3920F36
TerminateThread.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3920F47
TerminateProcess.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3920F53
TerminateThread.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3920F5F
VirtualFree.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3920F80
VirtualFree.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3920FAA
DisconnectNamedPipe.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3920FBC
DisconnectNamedPipe.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3920FCB
DisconnectNamedPipe.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3920FDA
DisconnectNamedPipe.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3920FE9
CloseHandle.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3920FF7
CloseHandle.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3921009
CloseHandle.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A392101C
CloseHandle.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A392102F
CloseHandle.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3921042
CloseHandle.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3921055
CloseHandle.KERNEL32(?,?,?,00000254A3914485), ref: 00000254A3921068

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CloseHandle$DisconnectNamedPipe$Terminate$FreeThreadVirtual$CriticalDeleteProcessSection
String ID:
API String ID: 2021643575-0
Opcode ID: e1219eb5096a696673c920ee8a3caf4302f5afb9c9ade7e8d0e7ee9dfdca1525
Instruction ID: 9da5de77f33b1b42b9b5a433432780be8ede450686f6cac32c312e5f36084510
Opcode Fuzzy Hash: e1219eb5096a696673c920ee8a3caf4302f5afb9c9ade7e8d0e7ee9dfdca1525
Instruction Fuzzy Hash: 544100253A6F4082FF98EFA2D878328A768FF88F8EF054515CD4A06654EF38C4D58349

Function 00000254A3932B20 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 347COMMON

Download Yara Rule

APIs

memcpy.NTDLL ref: 00000254A3932BD7
memcpy.NTDLL ref: 00000254A3932F44

Strings

lws_create_vhost, xrefs: 00000254A3932B79
OOM, xrefs: 00000254A3932E88
|%u, xrefs: 00000254A3932C6D
vh plugin table, xrefs: 00000254A3932E48
init server failed, xrefs: 00000254A3933094
same vh list, xrefs: 00000254A3932F4F
port %u, xrefs: 00000254A3932FA0
ener), xrefs: 00000254A3932FDD
http_proxy, xrefs: 00000254A3933030
|%s, xrefs: 00000254A3932C3B
lws_free, xrefs: 00000254A3932EAA
%s|%s|%d, xrefs: 00000254A3932CB3
default, xrefs: 00000254A3932B46
lws_protocol_init failed, xrefs: 00000254A39330D8

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memcpy
String ID: %s|%s|%d$OOM$default$ener)$http_proxy$init server failed$lws_create_vhost$lws_free$lws_protocol_init failed$port %u$same vh list$vh plugin table$|%s$|%u
API String ID: 3510742995-1324429581
Opcode ID: 379c9d18fd57c2ae79b8b94559fee726fe2e35d7262676346e3f36fa73a1b13f
Instruction ID: 07e4e57b37db6333b30eeecf4c6f60e3aafcc18e0635459a19c20ce466d50b64
Opcode Fuzzy Hash: 379c9d18fd57c2ae79b8b94559fee726fe2e35d7262676346e3f36fa73a1b13f
Instruction Fuzzy Hash: C1028C72251F8486EB94EF25E8A83D9B7A8F748B8DF44413ADE9D47364EB38C491C704

Function 00000254A3907240 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 96synchronizationpipeCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00000254A390725A

Part of subcall function 00000254A3918120: VirtualAlloc.KERNEL32(?,?,00000000,00000254A3916D58), ref: 00000254A3918137
Part of subcall function 00000254A3918120: InitializeCriticalSection.KERNEL32(?,?,00000000,00000254A3916D58), ref: 00000254A3918165

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

memset.NTDLL ref: 00000254A3907295
GetCurrentProcessId.KERNEL32 ref: 00000254A390729A
wsprintfW.USER32 ref: 00000254A39072B6
WaitForSingleObject.KERNEL32 ref: 00000254A39072D3
WaitForSingleObject.KERNEL32 ref: 00000254A390731B
VirtualFree.KERNEL32 ref: 00000254A390733A
VirtualFree.KERNEL32 ref: 00000254A3907364
DisconnectNamedPipe.KERNEL32 ref: 00000254A390737B
CloseHandle.KERNEL32 ref: 00000254A390738A
DeleteCriticalSection.KERNEL32 ref: 00000254A3907398
VirtualFree.KERNEL32 ref: 00000254A39073A9

Strings

\\.\Pipe\%d_Local_%d, xrefs: 00000254A39072A7

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Read$EnterFree$InitializeLeaveObjectSingleWait$CloseCurrentDeleteDisconnectHandleNamedPipeProcessmemsetwsprintf
String ID: \\.\Pipe\%d_Local_%d
API String ID: 2297721380-251893267
Opcode ID: 36990aca3978a3dea961cae16a781325bd347a7ac9c8a3c5f6a009e8abbcbd45
Instruction ID: 7f788299c300d15987d1676feda7cef8a5c3a2b4bd5d03521274b7dd178cb018
Opcode Fuzzy Hash: 36990aca3978a3dea961cae16a781325bd347a7ac9c8a3c5f6a009e8abbcbd45
Instruction Fuzzy Hash: DA413321365E4083FBA4AB61EC6C36DA3A9FB89F9FF444111CE4A46A54EF38C4C58709

Function 00000254A3930950 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 96networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00000254A3930992
WSAGetLastError.WS2_32 ref: 00000254A393099C
WSAIoctl.WS2_32 ref: 00000254A3930A1D
WSAGetLastError.WS2_32 ref: 00000254A3930A27
getprotobyname.WS2_32 ref: 00000254A3930A75
setsockopt.WS2_32 ref: 00000254A3930AA2
ioctlsocket.WS2_32 ref: 00000254A3930AC3
WSAGetLastError.WS2_32 ref: 00000254A3930AD2

Strings

TCP, xrefs: 00000254A3930A63
setsockopt SO_KEEPALIVE 1 failed with error %d, xrefs: 00000254A39309A5
WSAIoctl SIO_KEEPALIVE_VALS 1 %lu %lu failed with error %d, xrefs: 00000254A3930A32
ioctlsocket FIONBIO 1 failed with error %d, xrefs: 00000254A3930AD8

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorLast$setsockopt$Ioctlgetprotobynameioctlsocket
String ID: TCP$WSAIoctl SIO_KEEPALIVE_VALS 1 %lu %lu failed with error %d$ioctlsocket FIONBIO 1 failed with error %d$setsockopt SO_KEEPALIVE 1 failed with error %d
API String ID: 689193069-3784515845
Opcode ID: 8a574de51de2f7b9e0da6b50ddb537149f76536c045387673f248ec90f46c37e
Instruction ID: b39b7670cc3077e3f3a984ed5cad0524fd640d545e914eb927c43d44cfaca27b
Opcode Fuzzy Hash: 8a574de51de2f7b9e0da6b50ddb537149f76536c045387673f248ec90f46c37e
Instruction Fuzzy Hash: 9C418E72614B8087E750AF11E858789BBA8F388B8DF54412ADA4983764EF3DC9C9CB44

Function 00000254A3910E40 Relevance: 21.1, APIs: 14, Instructions: 87stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000254A3910E50
WideCharToMultiByte.KERNEL32 ref: 00000254A3910E7A
VirtualAlloc.KERNEL32 ref: 00000254A3910E95
lstrlenW.KERNEL32 ref: 00000254A3910EA6

Part of subcall function 00000254A391C8D0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,00000254A3910EBE), ref: 00000254A391C907
Part of subcall function 00000254A391C8D0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,00000254A3910EBE), ref: 00000254A391C92F

memset.NTDLL ref: 00000254A3910ECB
lstrlenA.KERNEL32 ref: 00000254A3910ED3
VirtualFree.KERNEL32 ref: 00000254A3910EE9
lstrlenA.KERNEL32 ref: 00000254A3910F0A
memset.NTDLL ref: 00000254A3910F32
memcpy.NTDLL ref: 00000254A3910F42
CreateDirectoryA.KERNEL32 ref: 00000254A3910F4E
lstrlenA.KERNEL32 ref: 00000254A3910F5C
CreateDirectoryA.KERNEL32 ref: 00000254A3910F73
VirtualFree.KERNEL32 ref: 00000254A3910F84

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: lstrlen$ByteCharMultiVirtualWide$CreateDirectoryFreememset$Allocmemcpy
String ID:
API String ID: 2091574596-0
Opcode ID: 1b4b82f0b7e4c8ea5fbd9bd08a66728b17502ecdaec804405791d5810d399e2d
Instruction ID: 37c03bfbea9ed52eff1f4c7fa21011a937b85655521009c71c79ea6ceb961d1f
Opcode Fuzzy Hash: 1b4b82f0b7e4c8ea5fbd9bd08a66728b17502ecdaec804405791d5810d399e2d
Instruction Fuzzy Hash: D0310521369E8043E7D0EB25ED6836DE769A789BCFF044024DA4A42B55EF3CC5C98709

Function 00000254A3905070 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 46COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 00000254A39050E0
srand.MSVCRT ref: 00000254A39050E9
rand.MSVCRT ref: 00000254A3905100

Strings

$%&', xrefs: 00000254A39050AF
89:;, xrefs: 00000254A39050D2
<=>?, xrefs: 00000254A39050D9
()*+, xrefs: 00000254A39050B6
,-./, xrefs: 00000254A39050BD
0123, xrefs: 00000254A39050C4
4567, xrefs: 00000254A39050CB
!"#, xrefs: 00000254A39050A8

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: _time64randsrand
String ID: !"#$$%&'$()*+$,-./$0123$4567$89:;$<=>?
API String ID: 1363323005-2655883160
Opcode ID: 495eb2bc3968464ad3b4467f9e3bb0dc08ae24cb2b23406463a58bd7f9b74657
Instruction ID: a9d17f84c8816458a26c0cbfc7b519b4565047f1ae1e8e8319888fa51aa04b78
Opcode Fuzzy Hash: 495eb2bc3968464ad3b4467f9e3bb0dc08ae24cb2b23406463a58bd7f9b74657
Instruction Fuzzy Hash: D6117F76B147908FEB04CF61E88809D7FB4F309B89B945528DA4A27B08CB34C141CF55

Function 00000254A3922930 Relevance: 18.1, APIs: 12, Instructions: 114networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 00000254A392298C
GetLastError.KERNEL32 ref: 00000254A392299B
getaddrinfo.WS2_32 ref: 00000254A39229CA
WSAGetLastError.WS2_32 ref: 00000254A39229D0
WSAGetLastError.WS2_32 ref: 00000254A39229DA

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorLast$Socketgetaddrinfo
String ID:
API String ID: 1420131935-0
Opcode ID: 588b49dada4d53f0dea3a9a8b5e910038bbe1c700624a725d7562d88239a8e1e
Instruction ID: 3f05c86049f251f23eca5b72c53f7e5fec9a4da5df120d87c22d6c817b857823
Opcode Fuzzy Hash: 588b49dada4d53f0dea3a9a8b5e910038bbe1c700624a725d7562d88239a8e1e
Instruction Fuzzy Hash: 1B519B72724A808AE760DFA1E82879D7BB8F74875CF004215EE4917B98DF39C999CB05

Function 00000254A3923BB0 Relevance: 18.1, APIs: 12, Instructions: 108networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00000254A3923BF3
GetLastError.KERNEL32 ref: 00000254A3923C02
getaddrinfo.WS2_32 ref: 00000254A3923C31
WSAGetLastError.WS2_32 ref: 00000254A3923C37
WSAGetLastError.WS2_32 ref: 00000254A3923C41

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorLast$getaddrinfosocket
String ID:
API String ID: 2350576183-0
Opcode ID: 183dd14ccb18c69825c5ef14be7dfcbe68b6ff15fd6c6c6db8b03a0aaa48b992
Instruction ID: ab369828be8f9796d430a977003d0b44eb5b294b55d22afacf2139cff02e216a
Opcode Fuzzy Hash: 183dd14ccb18c69825c5ef14be7dfcbe68b6ff15fd6c6c6db8b03a0aaa48b992
Instruction Fuzzy Hash: EE518C72724A809BE710DFA0D85839D77B8F74875DF008225EF5917B98DB38C598CB05

Function 00000254A3904220 Relevance: 18.1, APIs: 12, Instructions: 93sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00000254A3904237
Sleep.KERNEL32 ref: 00000254A390424C
IsBadReadPtr.KERNEL32 ref: 00000254A390426B
EnterCriticalSection.KERNEL32 ref: 00000254A3904281
LeaveCriticalSection.KERNEL32 ref: 00000254A39042A2
LeaveCriticalSection.KERNEL32 ref: 00000254A39042AF
SetEvent.KERNEL32 ref: 00000254A390431E
WaitForSingleObject.KERNEL32 ref: 00000254A390433F
CloseHandle.KERNEL32 ref: 00000254A3904351

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$EventLeave$CloseEnterHandleObjectReadSingleSleepWait
String ID:
API String ID: 1497552152-0
Opcode ID: 3e701f299464fa1840a3c59915c173aa47d40fd4326d99a42f10eb8f84c94787
Instruction ID: b220f51fccdcb47462bd38684bddc12aab7fcc97b523134e8236710cb0e363fe
Opcode Fuzzy Hash: 3e701f299464fa1840a3c59915c173aa47d40fd4326d99a42f10eb8f84c94787
Instruction Fuzzy Hash: CD414C21365E4087FB98AF25DC69368A7A8FB4AF8EF485520CE0A47754EF38C4D58709

Function 00000254A391EB30 Relevance: 18.1, APIs: 12, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00000254A391EB56
GetDC.USER32 ref: 00000254A391EB66
GetSystemMetrics.USER32 ref: 00000254A391EB7E
GetSystemMetrics.USER32 ref: 00000254A391EB8A
CreateCompatibleDC.GDI32 ref: 00000254A391EB97
CreateCompatibleDC.GDI32 ref: 00000254A391EBA5
CreateDIBSection.GDI32 ref: 00000254A391EBE0
CreateDIBSection.GDI32 ref: 00000254A391EC02
SelectObject.GDI32 ref: 00000254A391EC17
SelectObject.GDI32 ref: 00000254A391EC32
CreateEventW.KERNEL32 ref: 00000254A391EC56
VirtualAlloc.KERNEL32 ref: 00000254A391EC76

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Create$CompatibleMetricsObjectSectionSelectSystem$AllocDesktopEventVirtualWindow
String ID:
API String ID: 623393097-0
Opcode ID: d4d23b9cfb9482bdb896885728d8e23ede41b5937629a3350251762cf16a0030
Instruction ID: ceb200f8d7d5637087c9fb3042c1c2436124b694d89666e550982a9c62418350
Opcode Fuzzy Hash: d4d23b9cfb9482bdb896885728d8e23ede41b5937629a3350251762cf16a0030
Instruction Fuzzy Hash: 5C411236614F40A7D758DF25EA5864EB7B8F348B89F004519DB8A43B10EF39E0B9CB04

Function 00000254A3930BA0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 217networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00000254A3930D21
sendto.WS2_32 ref: 00000254A3930D31
WSAGetLastError.WS2_32 ref: 00000254A3930D6F
WSAGetLastError.WS2_32 ref: 00000254A3930D7C
WSAGetLastError.WS2_32 ref: 00000254A3930D89
WSAGetLastError.WS2_32 ref: 00000254A3930DB4

Strings

@, xrefs: 00000254A3930DC1
lws_issue_raw, xrefs: 00000254A3930CA8
invalid sock, xrefs: 00000254A3930C93

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorLast$sendto
String ID: @$invalid sock$lws_issue_raw
API String ID: 437866842-1634260725
Opcode ID: e12959c90679bdaffc1ced3d20ce5748b36e4cb10404d9724eb399e2990ee578
Instruction ID: caf830eca1bff8abe960f7f6cda07e4f9be2b18a3d84977f7051b69f1ec1417d
Opcode Fuzzy Hash: e12959c90679bdaffc1ced3d20ce5748b36e4cb10404d9724eb399e2990ee578
Instruction Fuzzy Hash: 4991C6627A5F4187EBA4AF259C283E9E698E744B9DF080139DE17477E5FB34C4C18708

Function 00000254A391B990 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A391B9B9
memcpy.NTDLL ref: 00000254A391B9DD
VirtualAlloc.KERNEL32 ref: 00000254A391BA08
memcpy.NTDLL ref: 00000254A391BA3D
memcpy.NTDLL ref: 00000254A391BA73
memset.NTDLL ref: 00000254A391BB0C
ExpandEnvironmentStringsW.KERNEL32 ref: 00000254A391BB23
memset.NTDLL ref: 00000254A391BB38

Strings

C:\Program Files\Windows Mail, xrefs: 00000254A391BB1C, 00000254A391BB2B
47.238.215.73, xrefs: 00000254A391BA48

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memcpy$AllocVirtualmemset$EnvironmentExpandStrings
String ID: 47.238.215.73$C:\Program Files\Windows Mail
API String ID: 791498746-1000070797
Opcode ID: 2b26ddc07f84ee4290e8d8fcb28feba32ce194d0abf94b4343b1801c1ea13578
Instruction ID: 02f06bdaf55f449ea39467516ab281ed6c806f6e934c016c81ae2caa2ad92d57
Opcode Fuzzy Hash: 2b26ddc07f84ee4290e8d8fcb28feba32ce194d0abf94b4343b1801c1ea13578
Instruction Fuzzy Hash: E3710172A65F8183E781DB28E9153A8B764F799B8DF04D325CA8913762FF3891C6C704

Function 00000254A3913920 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 78stringthreadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00000254A3913941
ProcessIdToSessionId.KERNEL32 ref: 00000254A3913951
memset.NTDLL ref: 00000254A39139A9
lstrcmpiW.KERNEL32 ref: 00000254A39139CE
lstrcmpiW.KERNEL32 ref: 00000254A39139F3
CreateThread.KERNEL32 ref: 00000254A3913A61

Strings

UDP, xrefs: 00000254A39139E4
HTTP, xrefs: 00000254A3913A05
TCP, xrefs: 00000254A39139BF

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Processlstrcmpi$CreateCurrentSessionThreadmemset
String ID: HTTP$TCP$UDP
API String ID: 1333632082-3864057669
Opcode ID: 79ca34c42b3aab9032cd5f6da8ec8d408d609f69abcf2edea33bd93b63b32bf1
Instruction ID: 9fa205c7b382d9819a71f0a07841e74c4d773ea7212857c584b00ef1b72ffde8
Opcode Fuzzy Hash: 79ca34c42b3aab9032cd5f6da8ec8d408d609f69abcf2edea33bd93b63b32bf1
Instruction Fuzzy Hash: EC318271668E8093E790EF21FC6839AF7A9F788B4EF405126D94A42654FF38C5C5C704

Function 00000254A3913ED0 Relevance: 16.6, APIs: 11, Instructions: 118synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3913F23
VirtualFree.KERNEL32 ref: 00000254A3913F4D
SetEvent.KERNEL32 ref: 00000254A3913F7D
WaitForSingleObject.KERNEL32 ref: 00000254A3913F8F
TerminateThread.KERNEL32 ref: 00000254A3913F9A
CloseHandle.KERNEL32 ref: 00000254A3913FA8
VirtualFree.KERNEL32 ref: 00000254A3913FE0
WaitForSingleObject.KERNEL32 ref: 00000254A3914011
TerminateThread.KERNEL32 ref: 00000254A391401C
CloseHandle.KERNEL32 ref: 00000254A391402A
VirtualFree.KERNEL32 ref: 00000254A3914057

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$CloseHandleLeaveObjectSingleTerminateThreadWait$EventInitialize
String ID:
API String ID: 3987515053-0
Opcode ID: 28e91978891c492b1cbaac380f24f71bf40da3fb043633dbee495f36113eb4af
Instruction ID: ef7c8bba72a19a645f1a3c02780a228c1e510ac32ace44f17d62e0b82c6c3ed5
Opcode Fuzzy Hash: 28e91978891c492b1cbaac380f24f71bf40da3fb043633dbee495f36113eb4af
Instruction Fuzzy Hash: DE412421366E4083FBD4EF13A968329E769BB89F8EF084015DE4A17B55EF38C4D58349

Function 00000254A3920260 Relevance: 16.6, APIs: 11, Instructions: 101servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00000254A39202AB
OpenServiceW.ADVAPI32 ref: 00000254A39202C8
QueryServiceStatus.ADVAPI32 ref: 00000254A39202D9
LockServiceDatabase.ADVAPI32 ref: 00000254A39202E2
ChangeServiceConfigW.ADVAPI32 ref: 00000254A3920340
UnlockServiceDatabase.ADVAPI32 ref: 00000254A392034E
CloseServiceHandle.ADVAPI32 ref: 00000254A3920357
CloseServiceHandle.ADVAPI32 ref: 00000254A3920360
Sleep.KERNEL32 ref: 00000254A392036B
VirtualFree.KERNEL32 ref: 00000254A3920381
VirtualFree.KERNEL32 ref: 00000254A39203AB

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Service$CloseDatabaseFreeHandleOpenVirtual$ChangeConfigLockManagerQuerySleepStatusUnlock
String ID:
API String ID: 3731607402-0
Opcode ID: a9eb4e77f0189a9487206b475b1535da776a34eb102c6930cb2e8e0098df8897
Instruction ID: 2fd43052da716488e994a01d8e2216144b885d654791bbc7e1ea4367ab522caa
Opcode Fuzzy Hash: a9eb4e77f0189a9487206b475b1535da776a34eb102c6930cb2e8e0098df8897
Instruction Fuzzy Hash: A1416136365F4083E7A8EF22A828B5AB7A9FB88F9DF544014CE5607714EF39C489C744

Function 00000254A391CB60 Relevance: 16.6, APIs: 11, Instructions: 71stringprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A391CB84
malloc.MSVCRT ref: 00000254A391CB92
Process32FirstW.KERNEL32 ref: 00000254A391CBB0
lstrcmpiW.KERNEL32(?,?,?,00000254A3902AC7), ref: 00000254A391CBC1
free.MSVCRT ref: 00000254A391CBD6
CloseHandle.KERNEL32(?,?,?,00000254A3902AC7), ref: 00000254A391CBE4
Process32NextW.KERNEL32 ref: 00000254A391CBF4
lstrcmpiW.KERNEL32(?,?,?,00000254A3902AC7), ref: 00000254A391CC07
Process32NextW.KERNEL32 ref: 00000254A391CC1C
free.MSVCRT ref: 00000254A391CC29
CloseHandle.KERNEL32(?,?,?,00000254A3902AC7), ref: 00000254A391CC37

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Process32$CloseHandleNextfreelstrcmpi$CreateFirstSnapshotToolhelp32malloc
String ID:
API String ID: 2997854644-0
Opcode ID: fbb00ed28ea78f619fe1ddfcfc2a1448f07964961530676492a00d6974b8df58
Instruction ID: 86e92eb562cbbb48373a13981d3622f65656d9b49ba9d8287ee57ede05f188ff
Opcode Fuzzy Hash: fbb00ed28ea78f619fe1ddfcfc2a1448f07964961530676492a00d6974b8df58
Instruction Fuzzy Hash: 0421A261395E0183EBD4AF22AD68329E7A9E748FCEF494414CD0697754EF38C8C5CB09

Function 00000254A391F590 Relevance: 16.6, APIs: 11, Instructions: 55threadstringCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000254A391F5A4
GetThreadDesktop.USER32 ref: 00000254A391F5AC
memset.NTDLL ref: 00000254A391F5C2
GetUserObjectInformationW.USER32 ref: 00000254A391F5E5
OpenInputDesktop.USER32 ref: 00000254A391F5F5
memset.NTDLL ref: 00000254A391F60E
GetUserObjectInformationW.USER32 ref: 00000254A391F634
lstrcmpiW.KERNEL32 ref: 00000254A391F647
SetThreadDesktop.USER32 ref: 00000254A391F654
CloseDesktop.USER32 ref: 00000254A391F662
CloseDesktop.USER32 ref: 00000254A391F66B

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Desktop$Thread$CloseInformationObjectUsermemset$CurrentInputOpenlstrcmpi
String ID:
API String ID: 2480204736-0
Opcode ID: a7e5f87c476b32af149d3a23a836e4c12a9df15ddd786ef6baeaf1639c8a2ace
Instruction ID: 90ab7795e5d8e8fd9a2faad5a100df5a4d5316878a2137038877c78b3eb50423
Opcode Fuzzy Hash: a7e5f87c476b32af149d3a23a836e4c12a9df15ddd786ef6baeaf1639c8a2ace
Instruction Fuzzy Hash: 00217F35368F8092E760EB11E86D78AB7A5F788B8DF444026DA5A03B54EF3CC289C745

Function 00000254A393C5F0 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 282COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00000254A393C9D3

Strings

YZ[\X]^_RAW, xrefs: 00000254A393C5FC
MQTT, xrefs: 00000254A393C69F, 00000254A393C849
client_connect2, xrefs: 00000254A393CA3F
DNS NXDOMAIN, xrefs: 00000254A393CA2A
PUT, xrefs: 00000254A393C698
UDP, xrefs: 00000254A393C739
POST, xrefs: 00000254A393C691
GET, xrefs: 00000254A393C68A

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: getaddrinfo
String ID: DNS NXDOMAIN$GET$MQTT$POST$PUT$UDP$YZ[\X]^_RAW$client_connect2
API String ID: 300660673-2214405465
Opcode ID: 0880df214e9cd3c2f1cf25e5b96380e1b1ca444558782d537dd0fee6feb36dbb
Instruction ID: 3f642033486721bab3c4679e173f1dda7ba6139d59bcbec550a485adebacb024
Opcode Fuzzy Hash: 0880df214e9cd3c2f1cf25e5b96380e1b1ca444558782d537dd0fee6feb36dbb
Instruction Fuzzy Hash: 26C109A22B4E8487EBD1BB1198383F8B798F346F4EF484139DB46465A5FB3495C1DB08

Function 00000254A3924090 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00000254A39240C2
malloc.MSVCRT ref: 00000254A39240E5
malloc.MSVCRT ref: 00000254A392415B
free.MSVCRT ref: 00000254A39241A2
malloc.MSVCRT ref: 00000254A39242B3
free.MSVCRT ref: 00000254A39242E6

Strings

d, xrefs: 00000254A3924225
<, xrefs: 00000254A392426E
d, xrefs: 00000254A3924267

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: malloc$free$Timetime
String ID: <$d$d
API String ID: 3424428123-2034941416
Opcode ID: 67633af4dfc8252cf45609dabaea5b26b53f42197f8e2474752b99a928027a60
Instruction ID: de66d2e126a24fd9ea50d0a71def976d43f186fbc9ab2b5d48e696e28b34cbaa
Opcode Fuzzy Hash: 67633af4dfc8252cf45609dabaea5b26b53f42197f8e2474752b99a928027a60
Instruction Fuzzy Hash: D4711972152F80C6EB90DF62E99435D7BA8F748B8DF088528CB481B794EF74C0A4D714

Function 00000254A391E392 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A391E3D9
GetSystemDirectoryW.KERNEL32 ref: 00000254A391E3EB
lstrcatW.KERNEL32 ref: 00000254A391E400
CreateProcessW.KERNEL32 ref: 00000254A391E493
CloseHandle.KERNEL32 ref: 00000254A391E4A3
CloseHandle.KERNEL32 ref: 00000254A391E4B8

Strings

WinSta0\Winlogon, xrefs: 00000254A391E420
h, xrefs: 00000254A391E473
\cmd.exe, xrefs: 00000254A391E3F1

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CloseHandle$CreateDirectoryProcessSystemlstrcatmemset
String ID: WinSta0\Winlogon$\cmd.exe$h
API String ID: 3110162951-1128999311
Opcode ID: 377d92c3c3f7588309b3223c4e866e91415498e2d0b57ba55e9f7e9773e501a6
Instruction ID: 4fa8146f479e756a7f9ba8916ac4f112afb45458491126d69d2412c9741c38c3
Opcode Fuzzy Hash: 377d92c3c3f7588309b3223c4e866e91415498e2d0b57ba55e9f7e9773e501a6
Instruction Fuzzy Hash: CD31B463969FC183E3A09F10E86839EB7A4F7D934DF44522696C942964FB78C1C9CB04

Function 00000254A3930FB0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00000254A3931003
sendto.WS2_32 ref: 00000254A3931013
_write.MSVCRT ref: 00000254A393102E
WSAGetLastError.WS2_32 ref: 00000254A3931049
WSAGetLastError.WS2_32 ref: 00000254A3931056
WSAGetLastError.WS2_32 ref: 00000254A3931063
WSAGetLastError.WS2_32 ref: 00000254A3931085

Strings

@, xrefs: 00000254A3931092

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorLast$sendto$_write
String ID: @
API String ID: 4063025714-2766056989
Opcode ID: c7bd1ad0bf1584a85a1a61cb4fc126e031526cfb8e27881f91a638e7d804c59f
Instruction ID: baf2d40fa1008c4b76e6f52a3c14497ecba33e5db8bfa23a0ffcbdf5a55aa4a6
Opcode Fuzzy Hash: c7bd1ad0bf1584a85a1a61cb4fc126e031526cfb8e27881f91a638e7d804c59f
Instruction Fuzzy Hash: F321F661258EC083E794BF66E82C3DEB768E748F8DF140124DA5847AB4EF39C9C58709

Function 00000254A3903BD0 Relevance: 15.2, APIs: 10, Instructions: 150networkthreadCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32 ref: 00000254A3903C23
SetThreadExecutionState.KERNEL32 ref: 00000254A3903C65
SystemParametersInfoW.USER32 ref: 00000254A3903C76
SystemParametersInfoW.USER32 ref: 00000254A3903C87
WSAWaitForMultipleEvents.WS2_32 ref: 00000254A3903CB2
WSAEnumNetworkEvents.WS2_32 ref: 00000254A3903CF2
SetEvent.KERNEL32 ref: 00000254A3903D6B
WSAGetLastError.WS2_32 ref: 00000254A3903D7B
VirtualFree.KERNEL32 ref: 00000254A3903D98
VirtualFree.KERNEL32 ref: 00000254A3903DC2

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: EventEventsFreeInfoParametersSystemVirtual$EnumErrorExecutionLastMultipleNetworkSelectStateThreadWait
String ID:
API String ID: 705661956-0
Opcode ID: b3306e8e6be995fbad07b710c8ebb45c85d78bfb96534e55b13d4da9fa6293f6
Instruction ID: 6b2f141ed9774db2354570ba89c1fcc7f8fb22012116afc01ef3fd6476ce3bfc
Opcode Fuzzy Hash: b3306e8e6be995fbad07b710c8ebb45c85d78bfb96534e55b13d4da9fa6293f6
Instruction Fuzzy Hash: 1F518D32364E4083F794AB25D8A8719A3ADF746F8EF144021EE1A87A94EF34C9D58704

Function 00000254A39245A0 Relevance: 15.1, APIs: 10, Instructions: 100memorytimethreadCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00000254A39245C5
VirtualAlloc.KERNEL32 ref: 00000254A3924647
IsBadReadPtr.KERNEL32 ref: 00000254A3924677
EnterCriticalSection.KERNEL32 ref: 00000254A392468E
send.WS2_32 ref: 00000254A39246A1
GetLastError.KERNEL32 ref: 00000254A39246A7
IsBadReadPtr.KERNEL32 ref: 00000254A39246B7
ExitThread.KERNEL32 ref: 00000254A39246C3
LeaveCriticalSection.KERNEL32 ref: 00000254A39246CE
VirtualFree.KERNEL32 ref: 00000254A39246E4

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalReadSectionVirtual$AllocEnterErrorExitFreeLastLeaveThreadTimesendtime
String ID:
API String ID: 3122330297-0
Opcode ID: 51404108585b7ff1db373e89b646bf7e8d42d759f0de1be0177d3c4d76274544
Instruction ID: 3d9f399f48cea3f9f4ba65aec6f8b1ced88fe866e08e1dbda4eff2720bb793be
Opcode Fuzzy Hash: 51404108585b7ff1db373e89b646bf7e8d42d759f0de1be0177d3c4d76274544
Instruction Fuzzy Hash: 2F416E32314E4087E794EF62E86971DB7A4F748B8DF148029CB4A87754EF39D899CB05

Function 00000254A3349BE8 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00000254A3349BF7

Part of subcall function 00000254A33490F8: __vcrt_initialize.LIBVCRUNTIME ref: 00000254A334911A

__scrt_release_startup_lock.LIBCMT ref: 00000254A3349C7A
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00000254A3349C90
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00000254A3349CBC
__scrt_get_show_window_mode.LIBCMT ref: 00000254A3349CCD
__scrt_is_managed_app.LIBCMT ref: 00000254A3349CF0
__scrt_uninitialize_crt.LIBCMT ref: 00000254A3349D07
__scrt_fastfail.LIBCMT ref: 00000254A3349D39
__scrt_fastfail.LIBCMT ref: 00000254A3349D44
__security_init_cookie.LIBCMT ref: 00000254A3349D60

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
String ID:
API String ID: 1326835672-0
Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
Instruction ID: d84b1f094a5e861bc4132b67e6716586e3f27df7e718f2de4a55c43045e2aa54
Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
Instruction Fuzzy Hash: 423157216ECE0086FAE4BBAC9C7D3E9E2919B4674FF448414954B4B2D7FA3988C5C31D

Function 000000018001A7E8 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 000000018001A7F7

Part of subcall function 0000000180019CF8: __vcrt_initialize.LIBVCRUNTIME ref: 0000000180019D1A

__scrt_release_startup_lock.LIBCMT ref: 000000018001A87A
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 000000018001A890
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 000000018001A8BC
__scrt_get_show_window_mode.LIBCMT ref: 000000018001A8CD
__scrt_is_managed_app.LIBCMT ref: 000000018001A8F0
__scrt_uninitialize_crt.LIBCMT ref: 000000018001A907
__scrt_fastfail.LIBCMT ref: 000000018001A939
__scrt_fastfail.LIBCMT ref: 000000018001A944
__security_init_cookie.LIBCMT ref: 000000018001A960

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
String ID:
API String ID: 1326835672-0
Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350

Function 00000254A390AFC0 Relevance: 15.1, APIs: 10, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390AFD7
CreateEventW.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B061
VirtualAlloc.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B086
InitializeCriticalSection.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B098
VirtualAlloc.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B0BD
InitializeCriticalSection.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B0CF
VirtualAlloc.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B0F4
InitializeCriticalSection.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B106
VirtualAlloc.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B12B
InitializeCriticalSection.KERNEL32(?,?,?,00000254A3901E17), ref: 00000254A390B13D

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: AllocVirtual$CriticalInitializeSection$CreateEvent
String ID:
API String ID: 469433356-0
Opcode ID: ea69eefc2d230828b900866a37b3cbd0fa8e3a0e552ff7279e715e0694118ad8
Instruction ID: 7869ad7b5f46c3e9ffdbeca614d54e92affb4eeabb0b2a0583ea2d6f924e861a
Opcode Fuzzy Hash: ea69eefc2d230828b900866a37b3cbd0fa8e3a0e552ff7279e715e0694118ad8
Instruction Fuzzy Hash: 86410C32262F4083E794AF10FD59649B7ACF709B8AF404029DA5943BA4EF38C5A9C308

Function 00000254A39260B0 Relevance: 15.1, APIs: 10, Instructions: 94stringthreadwindowCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A39260ED
memset.NTDLL ref: 00000254A3926101
memset.NTDLL ref: 00000254A3926115
GetWindowThreadProcessId.USER32 ref: 00000254A3926124

Part of subcall function 00000254A391C950: memset.NTDLL ref: 00000254A391C974
Part of subcall function 00000254A391C950: CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A391C97E
Part of subcall function 00000254A391C950: Process32FirstW.KERNEL32 ref: 00000254A391C9A1
Part of subcall function 00000254A391C950: Process32NextW.KERNEL32 ref: 00000254A391C9BE
Part of subcall function 00000254A391C950: CloseHandle.KERNEL32 ref: 00000254A391CA41

lstrlenW.KERNEL32 ref: 00000254A3926143
GetClassNameW.USER32 ref: 00000254A3926161
lstrlenW.KERNEL32 ref: 00000254A392616C
GetWindowTextW.USER32 ref: 00000254A392618E
lstrlenW.KERNEL32 ref: 00000254A392619B
IsWindowVisible.USER32 ref: 00000254A39261B0

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memset$Windowlstrlen$Process32$ClassCloseCreateFirstHandleNameNextProcessSnapshotTextThreadToolhelp32Visible
String ID:
API String ID: 4082481662-0
Opcode ID: f3f6308184de1336c682d88350a7a94f45cac4e12ff12976c06c3bffbcc68aeb
Instruction ID: 3b8b33075a7e3f456178642f6eb7e45aa78129ed750ec29ed7458df8f84f5cf9
Opcode Fuzzy Hash: f3f6308184de1336c682d88350a7a94f45cac4e12ff12976c06c3bffbcc68aeb
Instruction Fuzzy Hash: 90413966314E809ADB70EF26DD543ED6761F789B9AF405011CE0A8BE58EF38C298CB00

Function 00000254A3901E90 Relevance: 15.1, APIs: 10, Instructions: 91threadmemoryCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00000254A3901EBF
IsBadReadPtr.KERNEL32 ref: 00000254A3901EF4
EnterCriticalSection.KERNEL32 ref: 00000254A3901F0F
VirtualAlloc.KERNEL32 ref: 00000254A3901F25
LeaveCriticalSection.KERNEL32 ref: 00000254A3901F49
GetNativeSystemInfo.KERNEL32 ref: 00000254A3901F7B
CreateThread.KERNEL32 ref: 00000254A3901FB2
CloseHandle.KERNEL32 ref: 00000254A3901FC0
CreateThread.KERNEL32 ref: 00000254A3901FDE
CloseHandle.KERNEL32 ref: 00000254A3901FEC

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CreateThread$CloseCriticalHandleSection$AllocEnterInfoLeaveNativeReadSystemVirtual
String ID:
API String ID: 3571750651-0
Opcode ID: 1363fd4b51c054286b4f9f0578cb1f11da93afc1d0dca13003e3c5ae9259af37
Instruction ID: 469d83ce6850d2dffe8f075b4da9fc35f29584a81f6481e04b8cb00f9a29487b
Opcode Fuzzy Hash: 1363fd4b51c054286b4f9f0578cb1f11da93afc1d0dca13003e3c5ae9259af37
Instruction Fuzzy Hash: 4B416336269F8083EB94EF21E818399B7A8F749B8DF458519DE8943754EF38C4D5C708

Function 00000254A39123B0 Relevance: 15.1, APIs: 10, Instructions: 74stringprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A39123C2
malloc.MSVCRT ref: 00000254A39123DE
Process32FirstW.KERNEL32 ref: 00000254A3912404
lstrlenW.KERNEL32 ref: 00000254A391241B
lstrlenW.KERNEL32 ref: 00000254A3912429
Process32NextW.KERNEL32 ref: 00000254A3912460
lstrlenW.KERNEL32 ref: 00000254A3912474
Process32NextW.KERNEL32 ref: 00000254A39124AB
free.MSVCRT ref: 00000254A39124BD
CloseHandle.KERNEL32 ref: 00000254A39124C6

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Process32lstrlen$Next$CloseCreateFirstHandleSnapshotToolhelp32freemalloc
String ID:
API String ID: 4027670598-0
Opcode ID: 439f8d2e972513238416a548221f462a94073303e1c60fa0b93f47d4e757f503
Instruction ID: 698fac29040f4edb76f88d8d9b42c7ae38b58e00bc45d018bfce89f612221382
Opcode Fuzzy Hash: 439f8d2e972513238416a548221f462a94073303e1c60fa0b93f47d4e757f503
Instruction Fuzzy Hash: 4A316D61364A0083EB90AF26E858329ABB4F78CFDAF445110DE4A43B64EF3CC5C9CB04

Function 00000254A391D060 Relevance: 15.1, APIs: 10, Instructions: 61serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00000254A391D077
OpenServiceW.ADVAPI32 ref: 00000254A391D0A7
GetLastError.KERNEL32 ref: 00000254A391D0B5
CloseServiceHandle.ADVAPI32 ref: 00000254A391D0C0

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: OpenService$CloseErrorHandleLastManager
String ID:
API String ID: 2659350385-0
Opcode ID: d1f9e974718dfdc27abd3533510aa15af3a5deb6cf2be6aac275e286971032ce
Instruction ID: af127783fcec4269db00b9355b4df053412de245af5befb8d26c36934e7c3614
Opcode Fuzzy Hash: d1f9e974718dfdc27abd3533510aa15af3a5deb6cf2be6aac275e286971032ce
Instruction Fuzzy Hash: D4215716779F4083EB84AB66FD592299694A74CFDDF041020DE0F43B15EE3CC4C98B09

Function 00000254A391B8E0 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32 ref: 00000254A391B8F9
lstrcmpiW.KERNEL32 ref: 00000254A391B916
lstrcmpiW.KERNEL32 ref: 00000254A391B933
lstrcmpiW.KERNEL32 ref: 00000254A391B950
lstrcmpiW.KERNEL32 ref: 00000254A391B96D

Strings

HKEY_LOCAL_MACHINE, xrefs: 00000254A391B906
HKEY_CURRENT_USER, xrefs: 00000254A391B8F2
HKEY_CURRENT_CONFIG, xrefs: 00000254A391B940
HKEY_CLASSES_ROOT, xrefs: 00000254A391B95D
HKEY_USERS, xrefs: 00000254A391B923

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: lstrcmpi
String ID: HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS
API String ID: 1586166983-3507829934
Opcode ID: 92d67e1772ed5d27b35ffe2b6b4ab96e07dede8ed643a73d65189ae7ffbca217
Instruction ID: 0cea05d110ae84595b16aff76ee79297946c3e4d30f163938681798af35caeee
Opcode Fuzzy Hash: 92d67e1772ed5d27b35ffe2b6b4ab96e07dede8ed643a73d65189ae7ffbca217
Instruction Fuzzy Hash: B5011610354F4056EA40AB36ADAD351B2599F48BFEF845224AD27837F8EF74C0C8C309

Function 00000254A3349369 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON

Download Yara Rule

APIs

__scrt_initialize_onexit_tables.LIBCMT ref: 00000254A3349462
__scrt_fastfail.LIBCMT ref: 00000254A33494B1
__scrt_fastfail.LIBCMT ref: 00000254A33494BC
__scrt_fastfail.LIBCMT ref: 00000254A33494C7

Strings

`udt returning', xrefs: 00000254A33493CC
`eh vector vbase constructor iterator', xrefs: 00000254A334939C
`local vftable', xrefs: 00000254A33493E0
onstructor closure', xrefs: 00000254A33493F4

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
API String ID: 2273495996-2419032777
Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
Instruction ID: 90b4c5fbda654a580379ecdd64fdc19c55e40c8ac8d647e7bc24f2a2a81f1b2a
Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
Instruction Fuzzy Hash: 4D413C242AAF008AFA94FB69ED38356A361AB4979FF445525D90E077A4FF3CC4C58308

Function 0000000180019F69 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON

Download Yara Rule

APIs

__scrt_initialize_onexit_tables.LIBCMT ref: 000000018001A062
__scrt_fastfail.LIBCMT ref: 000000018001A0B1
__scrt_fastfail.LIBCMT ref: 000000018001A0BC
__scrt_fastfail.LIBCMT ref: 000000018001A0C7

Strings

`udt returning', xrefs: 0000000180019FCC
`eh vector vbase constructor iterator', xrefs: 0000000180019F9C
onstructor closure', xrefs: 0000000180019FF4
`local vftable', xrefs: 0000000180019FE0

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
API String ID: 2273495996-2419032777
Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304

Function 00000254A3913A80 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70stringthreadCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A3913AE5
lstrcmpiW.KERNEL32 ref: 00000254A3913B0A
lstrcmpiW.KERNEL32 ref: 00000254A3913B31
CreateThread.KERNEL32 ref: 00000254A3913B9F

Strings

UDP, xrefs: 00000254A3913B22
HTTP, xrefs: 00000254A3913B43
TCP, xrefs: 00000254A3913AFB

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: lstrcmpi$CreateThreadmemset
String ID: HTTP$TCP$UDP
API String ID: 1278753810-3864057669
Opcode ID: 4f3725c6e9a3c20e9ab6cee16e493342bd08e11a55dedb5a078407a7875efed0
Instruction ID: cfb4ff040f850239a3ecbb3f80bc9845197ffe187ffeb841a6d74392f7c3f089
Opcode Fuzzy Hash: 4f3725c6e9a3c20e9ab6cee16e493342bd08e11a55dedb5a078407a7875efed0
Instruction Fuzzy Hash: 0731C471668F4197E790AF21FCA83AAF3A9F78874EF405125E54A42654FF38C5C9C704

Function 00000254A3922180 Relevance: 13.8, APIs: 9, Instructions: 260COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00000254A392223A

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 948343c06ea8565a1ec3a8f72c563dc0c748cdd4bbb0149151ad3a0c17d1f3f7
Instruction ID: 6ffb304cbab60791bb043fbabba51b5b1bed88c2c520475350079af199dfe86a
Opcode Fuzzy Hash: 948343c06ea8565a1ec3a8f72c563dc0c748cdd4bbb0149151ad3a0c17d1f3f7
Instruction Fuzzy Hash: C1C12536755E408AEB50DFA5D8986AC63B4FB88F8DF004116DE4E57B28EF38C589C704

Function 00000254A3902000 Relevance: 13.6, APIs: 9, Instructions: 73memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

GetCurrentProcessId.KERNEL32 ref: 00000254A3902020
ProcessIdToSessionId.KERNEL32 ref: 00000254A3902030

Part of subcall function 00000254A3916CA0: VirtualAlloc.KERNEL32 ref: 00000254A3916CBE
Part of subcall function 00000254A3916CA0: GetCurrentProcessId.KERNEL32 ref: 00000254A3916D39

VirtualAlloc.KERNEL32 ref: 00000254A3902096
InitializeCriticalSection.KERNEL32 ref: 00000254A39020A8
VirtualAlloc.KERNEL32 ref: 00000254A39020CD
InitializeCriticalSection.KERNEL32 ref: 00000254A39020DF
CreateThread.KERNEL32 ref: 00000254A3902117
WaitForSingleObject.KERNEL32 ref: 00000254A390212D
CloseHandle.KERNEL32 ref: 00000254A3902136

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: AllocCriticalSectionVirtual$EnterInitializeProcessRead$CurrentLeave$CloseCreateHandleObjectSessionSingleThreadWait
String ID:
API String ID: 1571644542-0
Opcode ID: dcf58f8bd94f4b4f5eefa7d45e8e40f62b7c11d8478bf447f9b59908b2d98ac2
Instruction ID: 2cf108d54675dd17c8ad6922a31e5fa26f0245f612f02031a584e73a42cf9d47
Opcode Fuzzy Hash: dcf58f8bd94f4b4f5eefa7d45e8e40f62b7c11d8478bf447f9b59908b2d98ac2
Instruction Fuzzy Hash: E0316F32265B8083E794EF20FC28359F7A8F788B8AF444119EA8646B54EF38C5C9C745

Function 00000254A3920180 Relevance: 13.6, APIs: 9, Instructions: 60serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00000254A39201A8
GetLastError.KERNEL32 ref: 00000254A39201B6

Part of subcall function 00000254A3902760: VirtualFree.KERNEL32 ref: 00000254A39027E5
Part of subcall function 00000254A3902760: VirtualFree.KERNEL32 ref: 00000254A390280F

OpenServiceW.ADVAPI32 ref: 00000254A39201E1
GetLastError.KERNEL32 ref: 00000254A39201EF
CloseServiceHandle.ADVAPI32 ref: 00000254A3920205

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorFreeLastOpenServiceVirtual$CloseHandleManager
String ID:
API String ID: 3563172158-0
Opcode ID: ce12c43ad3cf74fd47867ee24130c725be5bd76402bb544879ce041abdb63390
Instruction ID: b99a63b6a724705e8c727833e1d95bcff54579176cbafa1c2f502eec3df27658
Opcode Fuzzy Hash: ce12c43ad3cf74fd47867ee24130c725be5bd76402bb544879ce041abdb63390
Instruction Fuzzy Hash: 6A2181157A5F0143EB84FB72AD282199699AB4DFCEF0440259D0B47755FE3CC4C98709

Function 00000254A3918630 Relevance: 12.6, APIs: 10, Instructions: 130memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualAlloc.KERNEL32 ref: 00000254A3918683
VirtualAlloc.KERNEL32 ref: 00000254A39186CF
IsBadReadPtr.KERNEL32 ref: 00000254A3918711
EnterCriticalSection.KERNEL32 ref: 00000254A3918729
VirtualAlloc.KERNEL32 ref: 00000254A3918740
LeaveCriticalSection.KERNEL32 ref: 00000254A3918764
VirtualFree.KERNEL32 ref: 00000254A3918789
VirtualFree.KERNEL32 ref: 00000254A39187B3
VirtualFree.KERNEL32 ref: 00000254A39187C9
VirtualFree.KERNEL32 ref: 00000254A39187F3

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: 46fff95910c23406eb469c503979ea30ae88de5af3fad95f670b18fa206ae6df
Instruction ID: f4ae36e6f95c6d74cac07ccc971fd6fb03189ce9030fac1f344d61f6f1323850
Opcode Fuzzy Hash: 46fff95910c23406eb469c503979ea30ae88de5af3fad95f670b18fa206ae6df
Instruction Fuzzy Hash: 80517332326E1083EB94AF16E96832DA7A5FB88F89F448024CF4A43B54EF38D495C705

Function 00000254A3949B40 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 183networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00000254A3949CD2

Strings

client_connect4, xrefs: 00000254A3949E14
first service failed, xrefs: 00000254A3949D9F
Proxy-authorization: basic %s, xrefs: 00000254A3949C40
CONNECT %s:%u HTTP/1.1Host: %s:%uUser-agent: lws, xrefs: 00000254A3949C05
proxy write failed, xrefs: 00000254A3949CDC
RAW, xrefs: 00000254A3949B9C

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: send
String ID: CONNECT %s:%u HTTP/1.1Host: %s:%uUser-agent: lws$Proxy-authorization: basic %s$RAW$client_connect4$first service failed$proxy write failed
API String ID: 2809346765-3983456341
Opcode ID: 11d3f37dd95c02476e6052aa96ec3df33aad2b63795300cda34447b6fc21c926
Instruction ID: 2ab7e2c89f0fccab07ab1c4de45b3c07ccc0945a99119146ef65cf45be7f442a
Opcode Fuzzy Hash: 11d3f37dd95c02476e6052aa96ec3df33aad2b63795300cda34447b6fc21c926
Instruction Fuzzy Hash: 8481C562261F9083EB94EF21D8687E9B7A8F749B8DF448136DF4907798EB34C481C748

Function 00000254A391C760 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

WTSEnumerateSessionsW.WTSAPI32 ref: 00000254A391C79F
WTSQuerySessionInformationW.WTSAPI32 ref: 00000254A391C7FB
lstrlenW.KERNEL32 ref: 00000254A391C813
WTSFreeMemory.WTSAPI32 ref: 00000254A391C892
WTSFreeMemory.WTSAPI32 ref: 00000254A391C8AC

Strings

system, xrefs: 00000254A391C839, 00000254A391C860

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: FreeMemory$EnumerateInformationQuerySessionSessionslstrlen
String ID: system
API String ID: 3618899143-3377271179
Opcode ID: b32c9ff873edc57c0f6f3c7361fb97fa384e6bee228724bcac05ea03c1df1bf5
Instruction ID: e8429b84a7d007582ed19cf573b6eada84348b181a3f8ab0c04855429f6befe6
Opcode Fuzzy Hash: b32c9ff873edc57c0f6f3c7361fb97fa384e6bee228724bcac05ea03c1df1bf5
Instruction Fuzzy Hash: E1414776720A608BEB90AF25E89869D77B8F348B8DF401515EF0A53B58EB34C5D4CB04

Function 00000254A39122F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39stringfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A391230D
lstrcatW.KERNEL32 ref: 00000254A391231E
lstrcatW.KERNEL32 ref: 00000254A3912330
DeleteFileW.KERNEL32 ref: 00000254A3912369
GetLastError.KERNEL32 ref: 00000254A3912379

Strings

C:\Program Files\Windows Mail, xrefs: 00000254A3912312
\temp.key, xrefs: 00000254A3912324

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: lstrcat$DeleteErrorFileLastmemset
String ID: C:\Program Files\Windows Mail$\temp.key
API String ID: 3002015462-229217837
Opcode ID: 75718442f7fc29e2b7bc083eea7b4b405c17fcc48b4aa1abb5b1d73d3bcafe19
Instruction ID: a1b2b96fe75bb72e4d9c130d26071da702be96e9b3e384d307e1a3bde2a7031e
Opcode Fuzzy Hash: 75718442f7fc29e2b7bc083eea7b4b405c17fcc48b4aa1abb5b1d73d3bcafe19
Instruction Fuzzy Hash: D7118232658B81C3D790AF15F85835AF7A4F7C978DF504116E68A42A68EF7CC589CB04

Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000000018000194B
GetModuleFileNameW.KERNEL32 ref: 000000018000195D
wcsstr.NTDLL ref: 000000018000196F
IsUserAnAdmin.SHELL32 ref: 000000018000197A
ExitProcess.KERNEL32 ref: 00000001800019A1

Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 00000001800015E5
Part of subcall function 00000001800015B0: memcpy.NTDLL ref: 0000000180001609
Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 0000000180001613
Part of subcall function 00000001800015B0: memset.NTDLL ref: 0000000180001648
Part of subcall function 00000001800015B0: memset.NTDLL ref: 00000001800016A8
Part of subcall function 00000001800015B0: GetModuleFileNameW.KERNEL32 ref: 00000001800016BA
Part of subcall function 00000001800015B0: malloc.MSVCRT ref: 00000001800016CD
Part of subcall function 00000001800015B0: memset.NTDLL ref: 00000001800016E7
Part of subcall function 00000001800015B0: memcpy.NTDLL ref: 00000001800016F5
Part of subcall function 00000001800015B0: OpenSCManagerW.ADVAPI32 ref: 0000000180001789

ExitProcess.KERNEL32 ref: 000000018000198E

Strings

svchost.exe, xrefs: 0000000180001963

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
String ID: svchost.exe
API String ID: 2075570005-3106260013
Opcode ID: 58df4dc3bab4f7dd2091c0286527b5df24bc2997b8bd963c05bea4cdd90a2c72
Instruction ID: a7e4a02683164cc51efae999f71ec939c82b81573c8ef5df0e77f5c8c66af7f8
Opcode Fuzzy Hash: 58df4dc3bab4f7dd2091c0286527b5df24bc2997b8bd963c05bea4cdd90a2c72
Instruction Fuzzy Hash: 7E015231311A4D81FBAAEB21E8A93DA6360BB8D795F449125A99E46295DF3CC34CC740

Function 00000254A3924900 Relevance: 12.1, APIs: 8, Instructions: 108memorytimenetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3923BB0: socket.WS2_32 ref: 00000254A3923BF3
Part of subcall function 00000254A3923BB0: GetLastError.KERNEL32 ref: 00000254A3923C02

send.WS2_32 ref: 00000254A392495E
timeGetTime.WINMM ref: 00000254A3924964
VirtualAlloc.KERNEL32 ref: 00000254A3924994
VirtualFree.KERNEL32 ref: 00000254A39249E6

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocErrorFreeLastTimesendsockettime
String ID:
API String ID: 675528727-0
Opcode ID: ffa402f768c8f16eaddf7cabb92685b8e3fc598e86ccd357d1f3be0cf34130b3
Instruction ID: 56ebfcd7e9a0ecd922323b185229df9981c01a3b27f33cb80d1a740bb06b2985
Opcode Fuzzy Hash: ffa402f768c8f16eaddf7cabb92685b8e3fc598e86ccd357d1f3be0cf34130b3
Instruction Fuzzy Hash: 9141E536325E4083EB94EF66ED2971AA6A8F749FC9F044021DE4987B94EF39C4958708

Function 00000254A390DEC0 Relevance: 12.1, APIs: 8, Instructions: 92memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A390DF24
VirtualFree.KERNEL32 ref: 00000254A390DF4E
CreateEventW.KERNEL32 ref: 00000254A390DF64
CreateThread.KERNEL32 ref: 00000254A390DF89
IsBadReadPtr.KERNEL32 ref: 00000254A390DF9E
EnterCriticalSection.KERNEL32 ref: 00000254A390DFB1
VirtualAlloc.KERNEL32 ref: 00000254A390DFC8
LeaveCriticalSection.KERNEL32 ref: 00000254A390DFEC

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$CreateFree$EventInitializeThread
String ID:
API String ID: 1715669518-0
Opcode ID: 063af28826c257ba34dd61794c6217d4116b079e187d054435bfcbad311f18e1
Instruction ID: 29979e8137bcbbbb61cc2d6dff1fa486a7a95c82ec11b3870383611ae24779e7
Opcode Fuzzy Hash: 063af28826c257ba34dd61794c6217d4116b079e187d054435bfcbad311f18e1
Instruction Fuzzy Hash: A0318432325F4083E794AF22E86865DB7A9FB8CB89F448025DF4A43B54EF38C595C705

Function 00000254A3923E20 Relevance: 12.1, APIs: 8, Instructions: 73networkCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A3923E51
CreateEventW.KERNEL32 ref: 00000254A3923E82
WSARecv.WS2_32 ref: 00000254A3923EB9
WSAGetLastError.WS2_32 ref: 00000254A3923EBF
WaitForMultipleObjects.KERNEL32 ref: 00000254A3923EDD
WSAGetOverlappedResult.WS2_32 ref: 00000254A3923F0C
WSAGetLastError.WS2_32 ref: 00000254A3923F12
CloseHandle.KERNEL32 ref: 00000254A3923F24

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorLast$CloseCreateEventHandleMultipleObjectsOverlappedRecvResultWaitmemset
String ID:
API String ID: 3426673637-0
Opcode ID: b8b262f54c82b47c603efcc098acbee309593ccfe0400ca3453b4a2416fff10a
Instruction ID: a90e71fef0243131255dce22c0d04a30a2a57fd52dec697e302c040f58a7b04f
Opcode Fuzzy Hash: b8b262f54c82b47c603efcc098acbee309593ccfe0400ca3453b4a2416fff10a
Instruction Fuzzy Hash: 4D317432258F8187E760DF51F895B8EB768F788789F504126EB8943A14EF78C5D5CB04

Function 00000254A3923F80 Relevance: 12.1, APIs: 8, Instructions: 56synchronizationthreadnetworkCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00000254A3923FB8
EnterCriticalSection.KERNEL32 ref: 00000254A3923FC6
send.WS2_32 ref: 00000254A3923FD8
GetLastError.KERNEL32 ref: 00000254A3923FDE
IsBadReadPtr.KERNEL32 ref: 00000254A3923FEE
LeaveCriticalSection.KERNEL32 ref: 00000254A3923FFC
WaitForSingleObject.KERNEL32 ref: 00000254A392400F
ExitThread.KERNEL32 ref: 00000254A392401D

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalReadSection$EnterErrorExitLastLeaveObjectSingleThreadWaitsend
String ID:
API String ID: 152332814-0
Opcode ID: 2d099a332ae138d2403c0ed02e9701855ee02b40e3ab162302b3085763c8ad70
Instruction ID: 4554024afb4a838e66cdc107a212c53d20e65b5178ef1ad79913b0bbe344bb6e
Opcode Fuzzy Hash: 2d099a332ae138d2403c0ed02e9701855ee02b40e3ab162302b3085763c8ad70
Instruction Fuzzy Hash: 02114221364E0083E780EF62EC6932AEBA8F799F8EF544415DE0947754EF38C8C98745

Function 00000254A3935740 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00000254A3935766

Strings

free, xrefs: 00000254A39357CF, 00000254A393592B
client_reset, xrefs: 00000254A3935851
__lws_close_free_wsi_final, xrefs: 00000254A39358A7
lws_free, xrefs: 00000254A3935967
failed to get ah, xrefs: 00000254A3935892

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: closesocket
String ID: __lws_close_free_wsi_final$client_reset$failed to get ah$free$lws_free
API String ID: 2781271927-1207365477
Opcode ID: 25f6bb898b64ce15532d64514156a68591c670a9a80de1def1c087238b177e9a
Instruction ID: a10a2ae2450fb7a7426bac709aea355b269aca916267f0ebbe0ec5ada70f5774
Opcode Fuzzy Hash: 25f6bb898b64ce15532d64514156a68591c670a9a80de1def1c087238b177e9a
Instruction Fuzzy Hash: D5517562360F8083EA88E725DA683E9A359F749BADF4442159B79077E1EF34D5A18308

Function 00000254A390E010 Relevance: 10.6, APIs: 7, Instructions: 123COMMON

Download Yara Rule

APIs

__chkstk.NTDLL ref: 00000254A390E01D
memset.NTDLL ref: 00000254A390E048
memset.NTDLL ref: 00000254A390E05A

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A390E09B
VirtualFree.KERNEL32 ref: 00000254A390E0C5
VirtualFree.KERNEL32 ref: 00000254A390E197
VirtualFree.KERNEL32 ref: 00000254A390E1C1

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leavememset$Initialize__chkstk
String ID:
API String ID: 2598321309-0
Opcode ID: 19803d78e17f30e281bc56e6a6dc2545e298c1294dfc20e4aef617dcccde76fa
Instruction ID: 45f210ba4bf466ed5253be101232d775b71d1e8e5cce17d5ae8d9b598ba7b899
Opcode Fuzzy Hash: 19803d78e17f30e281bc56e6a6dc2545e298c1294dfc20e4aef617dcccde76fa
Instruction Fuzzy Hash: 87517132729E5087EBB4EF22E55826EB365F7C9B89F444014DB8A43F44EF38D0958B09

Function 00000254A390D6F0 Relevance: 10.6, APIs: 7, Instructions: 103memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A390D790
VirtualFree.KERNEL32 ref: 00000254A390D7BA
CreateThread.KERNEL32 ref: 00000254A390D7E8
IsBadReadPtr.KERNEL32 ref: 00000254A390D80C
EnterCriticalSection.KERNEL32 ref: 00000254A390D81F
VirtualAlloc.KERNEL32 ref: 00000254A390D836
LeaveCriticalSection.KERNEL32 ref: 00000254A390D85A

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$Free$CreateInitializeThread
String ID:
API String ID: 1508740679-0
Opcode ID: 1b3e0e81731cd236f1cdf85c7afb2c4caa27aaabd1b84022f2bb5430b119c807
Instruction ID: e025a7fe6021430b83063dcad2dd56efe79b40e067c9ba8b042ec226a394414c
Opcode Fuzzy Hash: 1b3e0e81731cd236f1cdf85c7afb2c4caa27aaabd1b84022f2bb5430b119c807
Instruction Fuzzy Hash: DC415232325F4087EB94DF22E954259B7A9FB88B99F044025DF4A53B64EF38C595CB04

Function 00000254A3913119 Relevance: 10.6, APIs: 7, Instructions: 102memorystringCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A39131A2
VirtualAlloc.KERNEL32 ref: 00000254A39131E8
NetUserSetInfo.NETAPI32 ref: 00000254A391322B
VirtualFree.KERNEL32 ref: 00000254A391323C
lstrcmpiW.KERNEL32 ref: 00000254A3913255
VirtualFree.KERNEL32 ref: 00000254A391326E
VirtualFree.KERNEL32 ref: 00000254A39133C1

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Free$Alloc$InfoUserlstrcmpi
String ID:
API String ID: 2840552451-0
Opcode ID: 60893066e3bbf6b45f4eeb8daf225cdee7bfb0fcc925a5af3644fbef4d97a442
Instruction ID: bf2b928ccd9982a17371c12d84fbaa131e574a90d05423baeb5798fb5bec2ce3
Opcode Fuzzy Hash: 60893066e3bbf6b45f4eeb8daf225cdee7bfb0fcc925a5af3644fbef4d97a442
Instruction Fuzzy Hash: 46418821726E4087E7F4AF22E85835EE769F749B89F444014DE8A43B58EF3CD4898709

Function 00000254A3920AF0 Relevance: 10.6, APIs: 7, Instructions: 82memoryfilestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00000254A3920B3E
VirtualAlloc.KERNEL32 ref: 00000254A3920B5C

Part of subcall function 00000254A391C8D0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,00000254A3910EBE), ref: 00000254A391C907
Part of subcall function 00000254A391C8D0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,00000254A3910EBE), ref: 00000254A391C92F

lstrlenA.KERNEL32 ref: 00000254A3920B8A
WriteFile.KERNEL32 ref: 00000254A3920BA4
VirtualFree.KERNEL32 ref: 00000254A3920BB5
VirtualFree.KERNEL32 ref: 00000254A3920BDA
VirtualFree.KERNEL32 ref: 00000254A3920C04

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$ByteCharFreeMultiWide$AllocFileWritelstrlen
String ID:
API String ID: 2835453980-0
Opcode ID: 2ccbba1d97933468815318aad32eba688173e7f35fa5392403b466c644259abf
Instruction ID: 550da58d8cfaabc4b3601314a6261ec17852abd16c8680117068bbe895a96c6c
Opcode Fuzzy Hash: 2ccbba1d97933468815318aad32eba688173e7f35fa5392403b466c644259abf
Instruction Fuzzy Hash: 9D316231719F4087EB94EF67A998619A7A5FB8CBC9F044024EE4A57F14EF38C0A68704

Function 00000254A390D5B0 Relevance: 10.6, APIs: 7, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A390D5F7
memset.NTDLL ref: 00000254A390D60C
memcpy.NTDLL ref: 00000254A390D627
memcpy.NTDLL ref: 00000254A390D641
VirtualFree.KERNEL32 ref: 00000254A390D656
VirtualFree.KERNEL32 ref: 00000254A390D680
SHFileOperationW.SHELL32 ref: 00000254A390D6C7

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: FreeVirtualmemcpymemset$FileOperation
String ID:
API String ID: 467530429-0
Opcode ID: 14cb9642c533215b7a2e2bfcfdb6d7d7cadd70b785f3dc976475013d93c55a53
Instruction ID: fa2beabd924f2149c1bc402abb90dad54170ce32e12e21f853e01e43f7dfb1d8
Opcode Fuzzy Hash: 14cb9642c533215b7a2e2bfcfdb6d7d7cadd70b785f3dc976475013d93c55a53
Instruction Fuzzy Hash: 3D318032225F8086D760EF12F49464EF7A8FB89B88F048525DB9D03B18EF38C556CB04

Function 00000254A3922B20 Relevance: 10.6, APIs: 7, Instructions: 75networkCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00000254A3922B75
WSASend.WS2_32 ref: 00000254A3922BBB
WSAGetLastError.WS2_32 ref: 00000254A3922BC1
WaitForMultipleObjects.KERNEL32 ref: 00000254A3922BEA
WSAGetLastError.WS2_32 ref: 00000254A3922C23
CloseHandle.KERNEL32 ref: 00000254A3922C35

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorLast$CloseCreateEventHandleMultipleObjectsSendWait
String ID:
API String ID: 248740593-0
Opcode ID: 3d6319584adb544b58c2476fc8f8a49f60c538f7d4a53f43cd1c7f5bcbecd3ed
Instruction ID: b76b0eb5ab33d2228f1416db8f7dbf611d1908ca3202869cee2e9fd5882c0e39
Opcode Fuzzy Hash: 3d6319584adb544b58c2476fc8f8a49f60c538f7d4a53f43cd1c7f5bcbecd3ed
Instruction Fuzzy Hash: 6D318032618F8087E7A0DF60F85578AF764F788759F104226EA8846A54EF78C5C8CB05

Function 00000254A3917FA0 Relevance: 10.6, APIs: 7, Instructions: 71memoryfilepipeCOMMON

Download Yara Rule

APIs

PeekNamedPipe.KERNEL32 ref: 00000254A3917FCF
VirtualAlloc.KERNEL32 ref: 00000254A3917FFC
ReadFile.KERNEL32 ref: 00000254A3918024
VirtualFree.KERNEL32 ref: 00000254A3918047
FlushFileBuffers.KERNEL32 ref: 00000254A3918051
GetLastError.KERNEL32 ref: 00000254A391805B
GetLastError.KERNEL32 ref: 00000254A391807D

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorFileLastVirtual$AllocBuffersFlushFreeNamedPeekPipeRead
String ID:
API String ID: 1637252459-0
Opcode ID: 7caf67ba2c754cc6c7e94bd91c5a8169c82a3c47d0c13808e784c8b6e6b47a5f
Instruction ID: 5774f0bbbdcf81edc75e60e6d7a2f0f47a0ca5507da4bc3c1a3dc9310272df9b
Opcode Fuzzy Hash: 7caf67ba2c754cc6c7e94bd91c5a8169c82a3c47d0c13808e784c8b6e6b47a5f
Instruction Fuzzy Hash: 9E217136358A4487E7A0AF62E81465AF7A4F78CBEAF0440249E4D43B54EF38C4D58B05

Function 00000254A3907E90 Relevance: 10.6, APIs: 7, Instructions: 69threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00000254A3907EA0
ProcessIdToSessionId.KERNEL32 ref: 00000254A3907EAD
WTSEnumerateSessionsW.WTSAPI32 ref: 00000254A3907EDC
WTSQuerySessionInformationW.WTSAPI32 ref: 00000254A3907F2D
WTSFreeMemory.WTSAPI32 ref: 00000254A3907F52

Part of subcall function 00000254A39076E0: memset.NTDLL ref: 00000254A3907709
Part of subcall function 00000254A39076E0: GetSystemDirectoryW.KERNEL32 ref: 00000254A390771A
Part of subcall function 00000254A39076E0: GetLastError.KERNEL32 ref: 00000254A3907724
Part of subcall function 00000254A39076E0: lstrcatW.KERNEL32 ref: 00000254A39078FB

WTSFreeMemory.WTSAPI32 ref: 00000254A3907F6A
CreateThread.KERNEL32 ref: 00000254A3907F8C

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: FreeMemoryProcessSession$CreateCurrentDirectoryEnumerateErrorInformationLastQuerySessionsSystemThreadlstrcatmemset
String ID:
API String ID: 3188162108-0
Opcode ID: a0f1e4af9b35d422d03ebaa43e648843dcc74811eb2673a9a5bc5e68af15dc2a
Instruction ID: ee0f0d86668ca1a4f2548187d4827bb89d30f3661f76e0c8ef4e45ee3d4646f6
Opcode Fuzzy Hash: a0f1e4af9b35d422d03ebaa43e648843dcc74811eb2673a9a5bc5e68af15dc2a
Instruction Fuzzy Hash: CC316F32368F4087E790AF21F85465EB7A5F38878AF544116FB8A43B68EF38D595CB04

Function 00000254A3910360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66processthreadinjectionCOMMON

Download Yara Rule

APIs

CreateProcessWithTokenW.ADVAPI32 ref: 00000254A39103F4
GetLastError.KERNEL32 ref: 00000254A39103FE
CloseHandle.KERNEL32 ref: 00000254A3910410
CloseHandle.KERNEL32 ref: 00000254A3910425
SuspendThread.KERNEL32 ref: 00000254A3910434

Strings

h, xrefs: 00000254A39103EC

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcessSuspendThreadTokenWith
String ID: h
API String ID: 1678065097-2439710439
Opcode ID: 34fa300228c636eaa0f0248c957d63175a617a8d2a4f03bc85cdcff5c74062eb
Instruction ID: 44d9521b74ce2ab4c6dc224d805e686f4f72c3818c36566f42b679a0dab88725
Opcode Fuzzy Hash: 34fa300228c636eaa0f0248c957d63175a617a8d2a4f03bc85cdcff5c74062eb
Instruction Fuzzy Hash: 13314F73B28F8082E750DF51E89835DB3A4F798798F119225EA9913B14EFB9C8D4CB00

Function 00000254A39105A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00000254A39105FA
memset.NTDLL ref: 00000254A3910615
lstrlenA.KERNEL32 ref: 00000254A391061F
DeviceIoControl.KERNEL32 ref: 00000254A391065A
CloseHandle.KERNEL32 ref: 00000254A3910663

Strings

\\.\{F8284233-48F4-4680-ADDD-F8284233}, xrefs: 00000254A39105D8

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandlelstrlenmemset
String ID: \\.\{F8284233-48F4-4680-ADDD-F8284233}
API String ID: 2589617790-329358119
Opcode ID: a3b02f37b284e632ff8c0487233c56c7f58dd63dbc29904f1061be0df106d2bb
Instruction ID: b89c0dc5da65135407fbc028cbbf2fe4c2c3444894fe053eae9e435361b013f7
Opcode Fuzzy Hash: a3b02f37b284e632ff8c0487233c56c7f58dd63dbc29904f1061be0df106d2bb
Instruction Fuzzy Hash: 7A112E36228F4082E7A1DB50F85478AB7A4F78D749F544125EA8943B58EF7DC588CB04

Function 00000254A3923D80 Relevance: 10.5, APIs: 7, Instructions: 43threadnetworkCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00000254A3923D9D
EnterCriticalSection.KERNEL32 ref: 00000254A3923DC2
send.WS2_32 ref: 00000254A3923DD4
GetLastError.KERNEL32 ref: 00000254A3923DDA
IsBadReadPtr.KERNEL32 ref: 00000254A3923DEA
ExitThread.KERNEL32 ref: 00000254A3923DF6

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Read$CriticalEnterErrorExitLastSectionThreadsend
String ID:
API String ID: 4016372045-0
Opcode ID: d7c53ff00559cd01b286f1a6d6dd771ff59319f2d2823e378d410a2d7a4538d3
Instruction ID: 0b89ee86740f02450c7413814df6734f6eae0737b82fb563935efdc049677960
Opcode Fuzzy Hash: d7c53ff00559cd01b286f1a6d6dd771ff59319f2d2823e378d410a2d7a4538d3
Instruction Fuzzy Hash: 8E015E22328E4087D780AF21FC59259A768FB8CBCEF485025EE4A87754DF38C8D9C745

Function 00000254A39026B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A39026D2
GetSystemDirectoryW.KERNEL32 ref: 00000254A39026E1
GetLastError.KERNEL32 ref: 00000254A39026EB
lstrcatW.KERNEL32 ref: 00000254A39026FD
VirtualFree.KERNEL32 ref: 00000254A3902745

Strings

\svchost.exe -k netsvcs, xrefs: 00000254A39026F1

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: DirectoryErrorFreeLastSystemVirtuallstrcatmemset
String ID: \svchost.exe -k netsvcs
API String ID: 1196864501-2993138014
Opcode ID: 4899bdc5faaa1a50a6070bd62f2c10f6be7ce4c39736347503a2d79e50c34c7c
Instruction ID: aeeeb185d3353e3addfb7a9e9190fd60903acbe85113ae0418bb49f1406f7507
Opcode Fuzzy Hash: 4899bdc5faaa1a50a6070bd62f2c10f6be7ce4c39736347503a2d79e50c34c7c
Instruction Fuzzy Hash: F6015E21265D4583EBA0AF15EC69359A325F788B5DF000211D9AD436E4EF3CC589C704

Function 00000254A390F2E0 Relevance: 10.1, APIs: 8, Instructions: 133memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A390F308
VirtualAlloc.KERNEL32 ref: 00000254A390F32B
InitializeCriticalSection.KERNEL32 ref: 00000254A390F33D
VirtualAlloc.KERNEL32 ref: 00000254A390F362
VirtualAlloc.KERNEL32 ref: 00000254A390F3B5
InitializeCriticalSection.KERNEL32 ref: 00000254A390F3C7
VirtualFree.KERNEL32 ref: 00000254A390F50E
VirtualFree.KERNEL32 ref: 00000254A390F538

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$CriticalFreeInitializeSection
String ID:
API String ID: 2852478515-0
Opcode ID: 2ca86a1fc827d6d4b782268000abc3b1b2f9c80ad164c5e90495c9a43af317c5
Instruction ID: 5cdddce4f4b63c4360b22c0b2e50993f977f3ff42f17ecc55fae689376e329df
Opcode Fuzzy Hash: 2ca86a1fc827d6d4b782268000abc3b1b2f9c80ad164c5e90495c9a43af317c5
Instruction Fuzzy Hash: 87611B35252F4096EB95EF21E8A4399B3ACFB09B4DF44412ACA8D07764FF38C598C748

Function 00000254A3933210 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 192COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A39332AD

Strings

raw, xrefs: 00000254A393326C
lws_protocol_init_vhost, xrefs: 00000254A393324F
protocol %s failed init, xrefs: 00000254A3933261
lws_free, xrefs: 00000254A39334E9
default, xrefs: 00000254A3933277

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memset
String ID: default$lws_free$lws_protocol_init_vhost$protocol %s failed init$raw
API String ID: 2221118986-224536676
Opcode ID: 3ca2b0dda705691ad3dfa99d16c899407311fd09951ce103c95fd508c95c4fdf
Instruction ID: e4a37d11a327ff2c1a2333431856df3a09ada30261226854e01eb3f466ad46ff
Opcode Fuzzy Hash: 3ca2b0dda705691ad3dfa99d16c899407311fd09951ce103c95fd508c95c4fdf
Instruction Fuzzy Hash: 0E91A5B22A0FC082EB99AF11D8987E9B7A8F745B8DF48501AEF9903754EF35C591C704

Function 00000254A39319D0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 146COMMON

Download Yara Rule

Strings

%02X , xrefs: 00000254A3931AEC
(hexdump: NULL ptr), xrefs: 00000254A3931A43
(hexdump: zero length), xrefs: 00000254A3931A10
%04X: , xrefs: 00000254A3931AB3
, xrefs: 00000254A3931B20, 00000254A3931B40

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID:
String ID: $%02X $%04X: $(hexdump: NULL ptr)$(hexdump: zero length)
API String ID: 0-30795012
Opcode ID: 5294b12cb6ddfd132a68633f4a1d4391e7470ebcbf1e631c227f11d59742df34
Instruction ID: 6ff342371acd6de29e9203cb39f0aa0909387d86eb61303f2e87835a744e5b11
Opcode Fuzzy Hash: 5294b12cb6ddfd132a68633f4a1d4391e7470ebcbf1e631c227f11d59742df34
Instruction Fuzzy Hash: 72519662364F8082D7A0AB11F8643DAF7A8F789B8DF444529DA8D43B65EF3CC5858748

Function 00000254A3902910 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 143stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32 ref: 00000254A3902AF8

Strings

U:I:, xrefs: 00000254A3902A0A
_:B:, xrefs: 00000254A3902A38
^:V:, xrefs: 00000254A39029F5
V:R:, xrefs: 00000254A3902A00
V:_:, xrefs: 00000254A3902954

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: lstrcmpi
String ID: U:I:$V:R:$V:_:$^:V:$_:B:
API String ID: 1586166983-194391922
Opcode ID: c37ba9e02582e707534a94e5af5016ab63ae1cbaf134c547084023abedeaea09
Instruction ID: 7da3b25f4e3858ac6822cab85989fae627a5519af5d0f6b21a280d4dabedc57d
Opcode Fuzzy Hash: c37ba9e02582e707534a94e5af5016ab63ae1cbaf134c547084023abedeaea09
Instruction Fuzzy Hash: A261FC23B54BC0CEF361CFB4D8106ED7BB1E79A38CF115219DE8866A89EB789581C344

Function 00000254A391F2B0 Relevance: 9.1, APIs: 6, Instructions: 86memorystringCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A391F316
VirtualAlloc.KERNEL32 ref: 00000254A391F356
NetUserSetInfo.NETAPI32 ref: 00000254A391F390
VirtualFree.KERNEL32 ref: 00000254A391F3A3
lstrcmpiW.KERNEL32 ref: 00000254A391F3B8
VirtualFree.KERNEL32 ref: 00000254A391F3CD

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocFree$InfoUserlstrcmpi
String ID:
API String ID: 4244901044-0
Opcode ID: 4bb39a4d54623631dae1162540759efd2fad283e37046eba1ed0997ae9d8ff27
Instruction ID: 753631735e09481214571d35559eee22dddb66bc086c18eb6e48f995355d2a34
Opcode Fuzzy Hash: 4bb39a4d54623631dae1162540759efd2fad283e37046eba1ed0997ae9d8ff27
Instruction Fuzzy Hash: A8319671366B4443EB94AF12EC2871AE795A749FCEF444024DD4A47B98EF7CC889CB04

Function 00000254A3925670 Relevance: 9.1, APIs: 6, Instructions: 82synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00000254A39256A9
memset.NTDLL ref: 00000254A39256D3
WaitForSingleObject.KERNEL32 ref: 00000254A39256DE
memcpy.NTDLL ref: 00000254A3925703
memcpy.NTDLL ref: 00000254A3925734
SetEvent.KERNEL32 ref: 00000254A3925771

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ObjectSingleWaitmemcpy$Eventmemset
String ID:
API String ID: 2578485326-0
Opcode ID: 4b7ccff7cc8b725b09c582a996c9dbd6aeb28199792e257624d1a1754784ee10
Instruction ID: ebf5c21bbc3bebccb5d01f83edb713c585ffc988e21c8decafbb765a075f3b35
Opcode Fuzzy Hash: 4b7ccff7cc8b725b09c582a996c9dbd6aeb28199792e257624d1a1754784ee10
Instruction Fuzzy Hash: 4531C921764D0083F7A0F7B6EC6879AE6A8E7847DDF144411EF9A8B695FE78C4C18308

Function 00000254A391E790 Relevance: 9.1, APIs: 6, Instructions: 72memorywindowCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?,?,00000000,00000000,00000254A391EBC5), ref: 00000254A391E7CD
GetDC.USER32 ref: 00000254A391E827
CreateCompatibleBitmap.GDI32 ref: 00000254A391E839
GetDIBits.GDI32 ref: 00000254A391E85D
ReleaseDC.USER32 ref: 00000254A391E868
DeleteObject.GDI32 ref: 00000254A391E871

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: AllocBitmapBitsCompatibleCreateDeleteObjectReleaseVirtual
String ID:
API String ID: 1942853633-0
Opcode ID: d610f2210541b487ea599f3beb68992543fe9b84b09e2f87d6652d28e22b4989
Instruction ID: ac4000ad3053ffab0aea0e5ca0816a71f2d53d9b7b0670999690e8785ff6eda0
Opcode Fuzzy Hash: d610f2210541b487ea599f3beb68992543fe9b84b09e2f87d6652d28e22b4989
Instruction Fuzzy Hash: AA21D372721B4087EB48AF26B82821DFEA4FB88BD5F05801DDE4653B60DB38C0858B08

Function 00000254A3917EB0 Relevance: 9.1, APIs: 6, Instructions: 56filesleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000254A3917ED0
CreateFileW.KERNEL32 ref: 00000254A3917EFF
GetLastError.KERNEL32 ref: 00000254A3917F10
GetTickCount.KERNEL32 ref: 00000254A3917F24
Sleep.KERNEL32 ref: 00000254A3917F38
CreateFileW.KERNEL32 ref: 00000254A3917F62

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CountCreateFileTick$ErrorLastSleep
String ID:
API String ID: 2478964991-0
Opcode ID: 44fd06d3c223e048c4d0489ead7cd8fe85b8e69849f9c6ee32731d4873113aa6
Instruction ID: fc143ab058c9a9ec0eee87b4b224b80fa12676ecea091dbbe25b59ace2db4b70
Opcode Fuzzy Hash: 44fd06d3c223e048c4d0489ead7cd8fe85b8e69849f9c6ee32731d4873113aa6
Instruction Fuzzy Hash: C9216531228F4187E3A0AF20BC6831BB6A8F7887BDF140715EA6553BD4DB38C8C58705

Function 00000254A3900320 Relevance: 8.9, APIs: 7, Instructions: 132COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00000254A390037C
free.MSVCRT ref: 00000254A39003CC
free.MSVCRT ref: 00000254A390041C
free.MSVCRT ref: 00000254A390046C
free.MSVCRT ref: 00000254A390049B
free.MSVCRT ref: 00000254A39004BD
free.MSVCRT ref: 00000254A39004FB

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 086ef2399a2b39805725e1e66e9ffec4bc1c65bc9c079221ec383ecf087ce0d7
Instruction ID: 9800146f39f82a295c81228370dd3c0bdb543cbbd2840cbb38ca4ef282deeb94
Opcode Fuzzy Hash: 086ef2399a2b39805725e1e66e9ffec4bc1c65bc9c079221ec383ecf087ce0d7
Instruction Fuzzy Hash: 68511776262F4482FA80AF59E9A4318F7A9F749F8DF589412CA4E43364EF75C4E2C314

Function 00000254A390D990 Relevance: 8.9, APIs: 7, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A390D9B9
VirtualFree.KERNEL32 ref: 00000254A390DA86
VirtualFree.KERNEL32 ref: 00000254A390DAB0
CloseHandle.KERNEL32 ref: 00000254A390DAC5
VirtualFree.KERNEL32 ref: 00000254A390DAF8
VirtualFree.KERNEL32 ref: 00000254A390DB22
VirtualFree.KERNEL32 ref: 00000254A390DB37

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

Part of subcall function 00000254A3904410: VirtualAlloc.KERNEL32 ref: 00000254A390442D
Part of subcall function 00000254A3904410: VirtualAlloc.KERNEL32 ref: 00000254A390445F
Part of subcall function 00000254A3904410: InitializeCriticalSection.KERNEL32 ref: 00000254A3904474
Part of subcall function 00000254A3904410: IsBadReadPtr.KERNEL32 ref: 00000254A3904490
Part of subcall function 00000254A3904410: EnterCriticalSection.KERNEL32 ref: 00000254A39044A3
Part of subcall function 00000254A3904410: VirtualAlloc.KERNEL32 ref: 00000254A39044BA
Part of subcall function 00000254A3904410: LeaveCriticalSection.KERNEL32 ref: 00000254A39044E9
Part of subcall function 00000254A3904410: IsBadReadPtr.KERNEL32 ref: 00000254A39044FE
Part of subcall function 00000254A3904410: EnterCriticalSection.KERNEL32 ref: 00000254A3904511
Part of subcall function 00000254A3904410: VirtualAlloc.KERNEL32 ref: 00000254A3904528
Part of subcall function 00000254A3904410: LeaveCriticalSection.KERNEL32 ref: 00000254A3904557
Part of subcall function 00000254A3904410: IsBadReadPtr.KERNEL32 ref: 00000254A390456C
Part of subcall function 00000254A3904410: EnterCriticalSection.KERNEL32 ref: 00000254A390457F
Part of subcall function 00000254A3904410: VirtualAlloc.KERNEL32 ref: 00000254A3904596

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterRead$Free$Leave$Initialize$CloseHandle
String ID:
API String ID: 1803526796-0
Opcode ID: 2389004f1622c871db37be869d3889ec8ed68640e4297f82caa4ce24a07498eb
Instruction ID: 14a64c6f3867fe35589b1324af81f6275d72d4159d862c7614f9e7b99f4b7575
Opcode Fuzzy Hash: 2389004f1622c871db37be869d3889ec8ed68640e4297f82caa4ce24a07498eb
Instruction Fuzzy Hash: 83511535266F4087EBA4EF52F86825AB3ACFB49B59F044125DA9E03B54EF38C494C744

Function 00000254A3924A90 Relevance: 8.8, APIs: 7, Instructions: 98COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000254A3924ACD
EnterCriticalSection.KERNEL32 ref: 00000254A3924B04
LeaveCriticalSection.KERNEL32 ref: 00000254A3924B2D
LeaveCriticalSection.KERNEL32 ref: 00000254A3924B54
EnterCriticalSection.KERNEL32 ref: 00000254A3924B95
LeaveCriticalSection.KERNEL32 ref: 00000254A3924BCE
LeaveCriticalSection.KERNEL32 ref: 00000254A3924BE0

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: f64cf19514c4a9b2708fe76cc4375897a169406fda7ea7ef4dfe89a5c2b49c5b
Instruction ID: c6a569066fe5feafea7e2f0e293f3d05ad1cb6170afca1530285e444a3d4e1ab
Opcode Fuzzy Hash: f64cf19514c4a9b2708fe76cc4375897a169406fda7ea7ef4dfe89a5c2b49c5b
Instruction Fuzzy Hash: E8416D36364E5183E750EF61EC2935AA7A9FB88BDEF490021DE4A8B754EE38C485C744

Function 00000254A3905973 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00000254A3905973

Part of subcall function 00000254A391CC60: CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A391CC76
Part of subcall function 00000254A391CC60: malloc.MSVCRT ref: 00000254A391CC84
Part of subcall function 00000254A391CC60: Process32FirstW.KERNEL32 ref: 00000254A391CCA2
Part of subcall function 00000254A391CC60: free.MSVCRT ref: 00000254A391CCB7
Part of subcall function 00000254A391CC60: CloseHandle.KERNEL32(?,?,00000000,00000254A3916D46), ref: 00000254A391CCC5

Part of subcall function 00000254A391D140: OpenSCManagerW.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,00000254A390264E), ref: 00000254A391D165
Part of subcall function 00000254A391D140: EnumServicesStatusExW.ADVAPI32 ref: 00000254A391D1B1
Part of subcall function 00000254A391D140: malloc.MSVCRT ref: 00000254A391D1C6
Part of subcall function 00000254A391D140: memset.NTDLL ref: 00000254A391D1DC
Part of subcall function 00000254A391D140: EnumServicesStatusExW.ADVAPI32 ref: 00000254A391D21B
Part of subcall function 00000254A391D140: CloseServiceHandle.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,00000254A390264E), ref: 00000254A391D228
Part of subcall function 00000254A391D140: free.MSVCRT ref: 00000254A391D231

ExitProcess.KERNEL32 ref: 00000254A3905998
VirtualFree.KERNEL32 ref: 00000254A3905BA8
VirtualFree.KERNEL32 ref: 00000254A3905BD2

Strings

Schedule, xrefs: 00000254A3905980

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CloseEnumFreeHandleProcessServicesStatusVirtualfreemalloc$CreateCurrentExitFirstManagerOpenProcess32ServiceSnapshotToolhelp32memset
String ID: Schedule
API String ID: 2593299425-2739827629
Opcode ID: d2ede1c26b53fc35dc056e9d6b3441cc13192b8f0a26bde5ec17dc0c8f87d235
Instruction ID: 8729c69b7f04844247476ab68a23fbf812fecbee3adae5196e3ccd4d230c329e
Opcode Fuzzy Hash: d2ede1c26b53fc35dc056e9d6b3441cc13192b8f0a26bde5ec17dc0c8f87d235
Instruction Fuzzy Hash: 62018421366F0083FBE4BB61AC78369D268AB85B8EF004015DA8A02690FE7CC4C54709

Function 00000254A3900720 Relevance: 7.7, APIs: 6, Instructions: 168COMMON

Download Yara Rule

APIs

memcpy.NTDLL ref: 00000254A39007F2
memcpy.NTDLL ref: 00000254A3900810
memcpy.NTDLL ref: 00000254A39008F3

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: b36940c9134db9debb5434aae0f74bffe43cbb9a5314d30aa24a6dee75e394a3
Instruction ID: a9be8c79b144c8bc611bf9e5300f2ba196bb698018f0805922126fb26ed64f0b
Opcode Fuzzy Hash: b36940c9134db9debb5434aae0f74bffe43cbb9a5314d30aa24a6dee75e394a3
Instruction Fuzzy Hash: FC618E32251F8086FB90DF25E8A8759F7A8FB49B9DF198025CE5E47794EB34C481C744

Function 00000254A39142A0 Relevance: 7.6, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A39142F3
VirtualFree.KERNEL32 ref: 00000254A391431D
VirtualAlloc.KERNEL32 ref: 00000254A3914334
InitializeCriticalSection.KERNEL32 ref: 00000254A39143BE
VirtualFree.KERNEL32 ref: 00000254A3914443
VirtualFree.KERNEL32 ref: 00000254A391446D

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$InitializeLeave
String ID:
API String ID: 2124124174-0
Opcode ID: ce30a7c37a809ab6b36126a6c5df061884de53dfa42c463ff1a9a8109802fa83
Instruction ID: 2b4c189c0d4ab1b5ffe1b27140e68596b21716400aecef6d388ac1b9fcccb55c
Opcode Fuzzy Hash: ce30a7c37a809ab6b36126a6c5df061884de53dfa42c463ff1a9a8109802fa83
Instruction Fuzzy Hash: DE513C32622F4086EB94EF12E858659B3ACFB8CB89F458125DE8E43B54EF38D594C744

Function 00000254A391EF20 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

Part of subcall function 00000254A391C760: WTSEnumerateSessionsW.WTSAPI32 ref: 00000254A391C79F

Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034EB
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39034FD
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903510
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903527
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903556
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903568
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390357B
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903592
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035C1
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39035D3
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035E6
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035FD
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390362C
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A390363E
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903654

VirtualFree.KERNEL32 ref: 00000254A391EFC4
VirtualFree.KERNEL32 ref: 00000254A391EFEE
VirtualFree.KERNEL32 ref: 00000254A391F026
VirtualFree.KERNEL32 ref: 00000254A391F050

Strings

@, xrefs: 00000254A391EF77

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$EnumerateInitializeSessions
String ID: @
API String ID: 3635408051-3454712805
Opcode ID: e5ffd8acee62a3162d13eb417bf543901fc6efb17b9c23c1632ba5cdd8a3b5f2
Instruction ID: 04c1b14d7196817a75e8865a5ea099dc21651e4dc5b170c4ba8bed62b5b302ce
Opcode Fuzzy Hash: e5ffd8acee62a3162d13eb417bf543901fc6efb17b9c23c1632ba5cdd8a3b5f2
Instruction Fuzzy Hash: A3315032716B4087EBA4EF23E998619A7A5FB89B89F048114DF8A53F14DF39C4958704

Function 00000254A3946140 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00000254A394621D

Strings

http://, xrefs: 00000254A394617A
http_proxy needs to be ads:port, xrefs: 00000254A394623A
proxy auth too long, xrefs: 00000254A39461F0
lws_set_proxy, xrefs: 00000254A394624D

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: strchr
String ID: http://$http_proxy needs to be ads:port$lws_set_proxy$proxy auth too long
API String ID: 2830005266-175238664
Opcode ID: d1ab9b85537000d759f710dae04c861439685c4e7ab67b200bb48c131c9f798f
Instruction ID: 31f8adb7ce96a406e3729e73c259c6a6d21a0fa4aeaaeabf8345f15607e84b80
Opcode Fuzzy Hash: d1ab9b85537000d759f710dae04c861439685c4e7ab67b200bb48c131c9f798f
Instruction Fuzzy Hash: 4831D861364F8093EBD4EB21E9643DAE758A745B8DF404125DE8D47B86FF3CC18A8308

Function 00000254A3903180 Relevance: 7.6, APIs: 5, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

ceil.MSVCRT ref: 00000254A39031D5
VirtualAlloc.KERNEL32 ref: 00000254A39031F2
memcpy.NTDLL ref: 00000254A3903221
memcpy.NTDLL ref: 00000254A3903266

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memcpy$AllocVirtualceil
String ID:
API String ID: 311976409-0
Opcode ID: ed14ec51c383a9a13ba0ce0240a1051b4facac114c8e2550c0a0b869aba092f1
Instruction ID: 6c6eedbf61931b37beac7855647840a625c0c9f976bf385b8cacf3d8959d7ed4
Opcode Fuzzy Hash: ed14ec51c383a9a13ba0ce0240a1051b4facac114c8e2550c0a0b869aba092f1
Instruction Fuzzy Hash: 4A31C431365E5087FB889F5AE9A4218F368F749BC9F108424FB1993B40EB34D5E18708

Function 00000254A390573B Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A39057CB
VirtualFree.KERNEL32 ref: 00000254A39057F5
VirtualFree.KERNEL32 ref: 00000254A3905BA8
VirtualFree.KERNEL32 ref: 00000254A3905BD2

Part of subcall function 00000254A391BC20: memcpy.NTDLL ref: 00000254A391BC45
Part of subcall function 00000254A391BC20: memset.NTDLL ref: 00000254A391BCDA
Part of subcall function 00000254A391BC20: wsprintfW.USER32 ref: 00000254A391BCF9
Part of subcall function 00000254A391BC20: SetFileAttributesW.KERNEL32 ref: 00000254A391BD09
Part of subcall function 00000254A391BC20: DeleteFileW.KERNEL32 ref: 00000254A391BD14
Part of subcall function 00000254A391BC20: CreateFileW.KERNEL32 ref: 00000254A391BD44
Part of subcall function 00000254A391BC20: GetLastError.KERNEL32 ref: 00000254A391BD53
Part of subcall function 00000254A391BC20: SetFileAttributesW.KERNEL32 ref: 00000254A391BDA0

Strings

47.238.215.73, xrefs: 00000254A39057AF

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$FileFree$EnterRead$AttributesLeave$CreateDeleteErrorInitializeLastmemcpymemsetwsprintf
String ID: 47.238.215.73
API String ID: 3047218378-3254619057
Opcode ID: 4748c9799fc4aab539902931fc7cd806f5684b6e31aa09dd6eb953e43b6e7f72
Instruction ID: baf4c07c347162bf633ff1878ac3ea5a55a990405dc58232c304fc037d76436a
Opcode Fuzzy Hash: 4748c9799fc4aab539902931fc7cd806f5684b6e31aa09dd6eb953e43b6e7f72
Instruction Fuzzy Hash: 0B317821765E4083FB94EB22E86C72DA3A9FF89B89F41C115DE4A03B54EE38C5C58704

Function 00000254A3905668 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3905706
VirtualFree.KERNEL32 ref: 00000254A3905730
VirtualFree.KERNEL32 ref: 00000254A3905BA8
VirtualFree.KERNEL32 ref: 00000254A3905BD2

Strings

47.238.215.73, xrefs: 00000254A39056C2

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initialize
String ID: 47.238.215.73
API String ID: 696443088-3254619057
Opcode ID: 7078d51f2a842d056aef008d8b9e0584b22a38109fb0f17c7c38043e1d6e8ae5
Instruction ID: ff87f8f3626894bce8dbad331f4ebba63ac4c4d17eb68ab79499efe5aacacbf5
Opcode Fuzzy Hash: 7078d51f2a842d056aef008d8b9e0584b22a38109fb0f17c7c38043e1d6e8ae5
Instruction Fuzzy Hash: 04316036766B0182FBA4EF16E868719A7A9FB85B89F018015DF8603B54EF39C4C5CB04

Function 00000254A390D880 Relevance: 7.6, APIs: 5, Instructions: 76memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

CreateThread.KERNEL32 ref: 00000254A390D907
IsBadReadPtr.KERNEL32 ref: 00000254A390D928
EnterCriticalSection.KERNEL32 ref: 00000254A390D93B
VirtualAlloc.KERNEL32 ref: 00000254A390D952
LeaveCriticalSection.KERNEL32 ref: 00000254A390D976

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$AllocVirtual$EnterRead$Leave$CreateInitializeThread
String ID:
API String ID: 986707815-0
Opcode ID: 13fe9d48963e991135e2c963f540b907288d56d1b03b0de4579185a6b58a6942
Instruction ID: 108db461a5071758cb1dd9a30814bef9fdf248d100af5390069b08d836d6650c
Opcode Fuzzy Hash: 13fe9d48963e991135e2c963f540b907288d56d1b03b0de4579185a6b58a6942
Instruction Fuzzy Hash: 04315072315F4087EB549F22E814259B7A8FB8DFD9F4880259E8E47B54EF38C599C704

Function 00000254A393E5B0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,00000254A393112F), ref: 00000254A393E68E

Strings

%s: OOM, xrefs: 00000254A393E61F
%s: buflist reached sanity limit, xrefs: 00000254A393E65E
lws_buflist_append_segment, xrefs: 00000254A393E602, 00000254A393E618, 00000254A393E633, 00000254A393E652
%s: corrupt list points to self, xrefs: 00000254A393E63F

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memcpy
String ID: %s: OOM$%s: buflist reached sanity limit$%s: corrupt list points to self$lws_buflist_append_segment
API String ID: 3510742995-575834517
Opcode ID: 79284cf2320dce2018f6e97d572864547c67ef809e1d40b3a32f6d216f6ca7e6
Instruction ID: 493cafb034d9821c9434db79fb172f7c7739fad4635127172ff027e1eeb0ddd0
Opcode Fuzzy Hash: 79284cf2320dce2018f6e97d572864547c67ef809e1d40b3a32f6d216f6ca7e6
Instruction Fuzzy Hash: E2219572664F4082EA90BB11DC643D9A7A9E74879DF48411AEA5D037B5EF38C4C9C348

Function 00000254A390DB60 Relevance: 7.6, APIs: 5, Instructions: 57stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00000254A390DB85
lstrcatW.KERNEL32 ref: 00000254A390DBAC

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

Part of subcall function 00000254A390C850: memset.NTDLL ref: 00000254A390C895
Part of subcall function 00000254A390C850: lstrcatW.KERNEL32 ref: 00000254A390C8A4
Part of subcall function 00000254A390C850: lstrcatW.KERNEL32 ref: 00000254A390C8B8
Part of subcall function 00000254A390C850: memset.NTDLL ref: 00000254A390C8CB
Part of subcall function 00000254A390C850: FindFirstFileW.KERNEL32 ref: 00000254A390C8DC
Part of subcall function 00000254A390C850: FindNextFileW.KERNEL32 ref: 00000254A390C935
Part of subcall function 00000254A390C850: FindNextFileW.KERNEL32 ref: 00000254A390C999

VirtualFree.KERNEL32 ref: 00000254A390DBF3
VirtualFree.KERNEL32 ref: 00000254A390DC1D
free.MSVCRT ref: 00000254A390DC26

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterFileFindReadlstrcat$FreeLeaveNextmemset$FirstInitializefreemalloc
String ID:
API String ID: 2817660952-0
Opcode ID: e62f3b6bb31d4131cbf3e8879ad1a17dd29e8ffe2323acf7510d4be1f2a2089e
Instruction ID: c9a2594bdfdfde8360a2d583fbb25c0962d491952ff11d18de236d543863e2e5
Opcode Fuzzy Hash: e62f3b6bb31d4131cbf3e8879ad1a17dd29e8ffe2323acf7510d4be1f2a2089e
Instruction Fuzzy Hash: 5921C631325E8086EB94EF12EC6865AA768F78DFC9F488025DE8E47718EF38C1C58744

Function 00000254A335ADA8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000254A335ADD0
_set_statfp.LIBCMT ref: 00000254A335ADEB
_set_statfp.LIBCMT ref: 00000254A335AE07
_set_statfp.LIBCMT ref: 00000254A335AE43

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
Instruction ID: 38efe713ba3820d0123cc59c2e796974253eb674e49e581a234bfa05388514ff
Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
Instruction Fuzzy Hash: F111AB22DFCE401EF7D5312CEC7D36990806B5D37FF14562DA966066E6EA3444C16708

Function 000000018002B9A8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018002B9D0
_set_statfp.LIBCMT ref: 000000018002B9EB
_set_statfp.LIBCMT ref: 000000018002BA07
_set_statfp.LIBCMT ref: 000000018002BA43

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302

Function 00000254A3913810 Relevance: 7.5, APIs: 5, Instructions: 28synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00000254A3913832
CloseHandle.KERNEL32 ref: 00000254A3913840
WaitForSingleObject.KERNEL32 ref: 00000254A391384F
GetCurrentProcess.KERNEL32 ref: 00000254A3913859
TerminateProcess.KERNEL32 ref: 00000254A3913864

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleObjectSingleTerminateThreadWait
String ID:
API String ID: 603326088-0
Opcode ID: 7c3f9b570a8332205efd3d9421a3c14b2d654208f283a85a9c5ac44cbca20012
Instruction ID: 223a07810c1ed34830564b8786aa3f6878877e058410a6a624fbf388f919e238
Opcode Fuzzy Hash: 7c3f9b570a8332205efd3d9421a3c14b2d654208f283a85a9c5ac44cbca20012
Instruction Fuzzy Hash: 4CF05461766F0083EB94AF72AC6C325A7A9AB8CB5EF0845649C1986354FE3CC0C68709

Function 00000254A39327A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A393281C
_unlink.MSVCRT ref: 00000254A3932A30
memset.NTDLL ref: 00000254A3932A77

Strings

lws_free, xrefs: 00000254A3932945, 00000254A3932988, 00000254A393299D, 00000254A39329D0, 00000254A3932A7C

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memset$_unlink
String ID: lws_free
API String ID: 1884818752-2419506585
Opcode ID: f671c1c9dc5f9f1ecd93fd6c90e8a55de8e0b5723c060ba0bceb813fd88c5dd0
Instruction ID: ab44325f338a4f6f895a1aac34c08617d49a210b228a051bd4d042331b3d43d9
Opcode Fuzzy Hash: f671c1c9dc5f9f1ecd93fd6c90e8a55de8e0b5723c060ba0bceb813fd88c5dd0
Instruction Fuzzy Hash: 51815F72261F8186EB94AF15E8683EDA3A4F788B8DF484439CE9D173A4EF34C581C714

Function 00000254A334EA60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000254A334EA98
_invalid_parameter_noinfo.LIBCMT ref: 00000254A334ECD2

Strings

ko-KR, xrefs: 00000254A334EAB7
*, xrefs: 00000254A334EBA5

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *$ko-KR
API String ID: 3215553584-1095117856
Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
Instruction ID: f1e807a4db0d87b67aab9a728927d6e4f463adc49dfbfd187e263a3dbda979a7
Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
Instruction Fuzzy Hash: 2A71D4725ADA5086E7E4AFAC886826CBBA0FB05F5FF244116CA4642299F731CCC1D75C

Function 000000018001F660 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018001F698
_invalid_parameter_noinfo.LIBCMT ref: 000000018001F8D2

Strings

*, xrefs: 000000018001F7A5
ko-KR, xrefs: 000000018001F6B7

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *$ko-KR
API String ID: 3215553584-1095117856
Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750

Function 00000254A3936000 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A3936058
_time64.MSVCRT ref: 00000254A39360AC

Strings

__lws_header_table_reset, xrefs: 00000254A39360D9
%s: calling service, xrefs: 00000254A39360E7

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: _time64memset
String ID: %s: calling service$__lws_header_table_reset
API String ID: 899224009-1639372703
Opcode ID: a9f15bdc1dc03cd649ae2c0efe04c1451751ae562199952308a362106ea05dd7
Instruction ID: 0cb757944c861857f7061a01f2bba35537e301459e25021c316c46245c9e4aa3
Opcode Fuzzy Hash: a9f15bdc1dc03cd649ae2c0efe04c1451751ae562199952308a362106ea05dd7
Instruction Fuzzy Hash: 7B318E62A10BC083E795DF21D9943EDA768F799B4CF089239DB5C4B269EF34D2E18314

Function 00000254A3902EA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00000254A3902EC7
GetLastError.KERNEL32 ref: 00000254A3902F3F
SysAllocString.OLEAUT32 ref: 00000254A3902F5D

Strings

\Microsoft\Windows, xrefs: 00000254A3902F56

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: AllocErrorInitLastStringVariant
String ID: \Microsoft\Windows
API String ID: 3210815728-1732172413
Opcode ID: 599da941f33650f59f8f3f7e0017e75b387ef8ec1697d5cd213f2b80ee50dc4f
Instruction ID: 36dabc8db56837797697426de1ae63a05d30b50bbc7c17197cb6a985e436cb88
Opcode Fuzzy Hash: 599da941f33650f59f8f3f7e0017e75b387ef8ec1697d5cd213f2b80ee50dc4f
Instruction Fuzzy Hash: D3219F22A18FC582D7619F24F8143EAE374FBD9B99F045212EB8942619EF3CC1C9CB00

Function 00000254A3915EB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00000254A3915EF8
VirtualFree.KERNEL32 ref: 00000254A3915F0E
VirtualFree.KERNEL32 ref: 00000254A3915F44

Strings

boom..., xrefs: 00000254A3915EEC

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: FreeVirtual$Message
String ID: boom...
API String ID: 3815264287-1338744694
Opcode ID: 38ffc653ece4430fce8646697b0d6fa537691b56c7ca04926ed4d985620e0bfa
Instruction ID: b431d62670c49d5b53b6255844a3c1e17d1557c6f0dc9dd3ec480973d13fe47b
Opcode Fuzzy Hash: 38ffc653ece4430fce8646697b0d6fa537691b56c7ca04926ed4d985620e0bfa
Instruction Fuzzy Hash: 87116122766F4082FB94AF22E828369A3A5FB9CB4DF04D214D98A56658FF3DC5C4C744

Function 00000254A3927F50 Relevance: 6.5, APIs: 5, Instructions: 299COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,00000000,00000254A3929458,?,00000000,?,00000254A3926506), ref: 00000254A392808C
memcpy.NTDLL ref: 00000254A3928111
memcpy.NTDLL(?,?,00000000,00000254A3929458,?,00000000,?,00000254A3926506), ref: 00000254A392814D
memcpy.NTDLL(?,?,00000000,00000254A3929458,?,00000000,?,00000254A3926506), ref: 00000254A3928189
memcpy.NTDLL(?,?,00000000,00000254A3929458,?,00000000,?,00000254A3926506), ref: 00000254A392823D

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f3cc9281a8ca6978993dbb056fb31bd63bef0cb429795cc02bd43722efd32982
Instruction ID: d9f1bdd62f3ff4d4eb3f70b47139b52172d81a28e0d07d001e9bbc735ef71f08
Opcode Fuzzy Hash: f3cc9281a8ca6978993dbb056fb31bd63bef0cb429795cc02bd43722efd32982
Instruction Fuzzy Hash: E4D18D33728E409BDB58EF69C6947ADB7A5F748B89F108119CB1987740EB30E8B1C745

Function 00000254A390CBD0 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00000254A390CBFA

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A390CC35
VirtualFree.KERNEL32 ref: 00000254A390CC5F
VirtualFree.KERNEL32 ref: 00000254A390CC89
VirtualFree.KERNEL32 ref: 00000254A390CCB3

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initializememset
String ID:
API String ID: 3460648485-0
Opcode ID: 2e3307218b09c89e9c461952443fd9212c3d484f2fdb84382dce19c2a9132c91
Instruction ID: 01232f005b9a02167073a1822a6a58d949152d1191cdb97b41ee69871eed9dd1
Opcode Fuzzy Hash: 2e3307218b09c89e9c461952443fd9212c3d484f2fdb84382dce19c2a9132c91
Instruction Fuzzy Hash: E1317222325E0083EBA8EF63E968219A365FB89F89F048024DF8A43B54DF38D1958745

Function 00000254A392CEC0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 315COMMON

Download Yara Rule

Strings

free, xrefs: 00000254A392D31D
ctx destroy, xrefs: 00000254A392CFE7
lws_free, xrefs: 00000254A392D37E

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID:
String ID: ctx destroy$free$lws_free
API String ID: 0-48050916
Opcode ID: c79e9a5b3c5bd1239040c7372c3514e6a6eb692877582e33914cb575e8c015d2
Instruction ID: d2199163703f667cb521b6d377844ee0078504ead3ee281efc69b4d5b2c23444
Opcode Fuzzy Hash: c79e9a5b3c5bd1239040c7372c3514e6a6eb692877582e33914cb575e8c015d2
Instruction Fuzzy Hash: BAD1D322391F8083EA9CEB61C9683EDA798F745B8EF448025CB6D0B795EF38C495C744

Function 00000254A3346F98 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

__swift_1, xrefs: 00000254A3347110
__swift_2, xrefs: 00000254A3347134

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID:
String ID: __swift_1$__swift_2
API String ID: 0-2914474356
Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
Instruction ID: ef1ea6337782e490b8f05e99aa3ea2273c6c393758ce1a621aa8adb698155222
Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
Instruction Fuzzy Hash: CE619F22364F4082EF94EB6DED68369A3A1F744B9EF484525DF6907795EF38D481C308

Function 0000000180017B98 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

__swift_2, xrefs: 0000000180017D34
__swift_1, xrefs: 0000000180017D10

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID:
String ID: __swift_1$__swift_2
API String ID: 0-2914474356
Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340

Function 00000254A3931FB0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

memcpy.NTDLL ref: 00000254A3932186

Strings

!, xrefs: 00000254A3931FD3
lws_free, xrefs: 00000254A393207C, 00000254A393210D, 00000254A39321CC, 00000254A393220E
lws_cache_lookup, xrefs: 00000254A39320DA

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: memcpy
String ID: !$lws_cache_lookup$lws_free
API String ID: 3510742995-3172022147
Opcode ID: f6a4beab21490da4376ac647ec29e6270de45d8bce8204ebcfae65f260a6c429
Instruction ID: 8864876bd89bcd1ae524f86454af833e835e6a5d023f6cf52f1cbee1bcb7be13
Opcode Fuzzy Hash: f6a4beab21490da4376ac647ec29e6270de45d8bce8204ebcfae65f260a6c429
Instruction Fuzzy Hash: 8271B362254F8082DAA5EF52E9543EAE3A8F798B8CF084025DF9D07B68EF34C495C344

Function 00000254A3933620 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 172stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00000254A393377E

Strings

can't find role '%s', xrefs: 00000254A3933741
lws_role_call_adoption_bind, xrefs: 00000254A3933754
raw-proxy, xrefs: 00000254A3933770

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: strcmp
String ID: can't find role '%s'$lws_role_call_adoption_bind$raw-proxy
API String ID: 1004003707-2670016624
Opcode ID: ddc2dee7fed4307f6de14917132bf2b0f3b232720b966688f40a1457e8129b7c
Instruction ID: df274e05f85700f564fe59c660b4cfac9668870e51e4732421b7a684fe2af40f
Opcode Fuzzy Hash: ddc2dee7fed4307f6de14917132bf2b0f3b232720b966688f40a1457e8129b7c
Instruction Fuzzy Hash: BD6118613A0F4043EAD4AB269CB87A5BB9CF745F8EF445419EE4A47774FA38C485D308

Function 00000254A391DE70 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

WaitForMultipleObjects.KERNEL32 ref: 00000254A391DEC1
WaitForMultipleObjects.KERNEL32 ref: 00000254A391DF8D
VirtualFree.KERNEL32 ref: 00000254A391DFCC
VirtualFree.KERNEL32 ref: 00000254A391DFF6

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeaveMultipleObjectsWait$Initialize
String ID:
API String ID: 1197094596-0
Opcode ID: a128fd323118e7b58d08c31b868d147948c3dda6663b584a6b7ab4b22ceeec38
Instruction ID: 04658b6436a34e770b448a7217304bb510ea2653cc91d385ac8124cb7da8619b
Opcode Fuzzy Hash: a128fd323118e7b58d08c31b868d147948c3dda6663b584a6b7ab4b22ceeec38
Instruction Fuzzy Hash: 3E41B672725B8083D7A4DF22E86435EB3A5FB89F89F445114DE4A57B54EF39C984CB00

Function 00000254A391F080 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00000254A391F0A4
ProcessIdToSessionId.KERNEL32 ref: 00000254A391F0B1

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A391F164
VirtualFree.KERNEL32 ref: 00000254A391F18E

Part of subcall function 00000254A3906F60: GetCurrentProcessId.KERNEL32 ref: 00000254A3906FDB
Part of subcall function 00000254A3906F60: ProcessIdToSessionId.KERNEL32 ref: 00000254A3906FEB
Part of subcall function 00000254A3906F60: CreateToolhelp32Snapshot.KERNEL32 ref: 00000254A3907014
Part of subcall function 00000254A3906F60: GetProcessHeap.KERNEL32 ref: 00000254A3907023
Part of subcall function 00000254A3906F60: HeapAlloc.KERNEL32 ref: 00000254A3907036
Part of subcall function 00000254A3906F60: CloseHandle.KERNEL32 ref: 00000254A3907047
Part of subcall function 00000254A3906F60: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00000254A3907056
Part of subcall function 00000254A3906F60: VirtualFree.KERNEL32 ref: 00000254A39071B6
Part of subcall function 00000254A3906F60: VirtualFree.KERNEL32 ref: 00000254A39071E0

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$Process$Free$EnterReadSession$CurrentHeapLeave$ActiveCloseConsoleCreateHandleInitializeSnapshotToolhelp32
String ID:
API String ID: 1320018004-0
Opcode ID: 219dca6d74f5f01e876d51951d5a85646c7e832a6bf75ab04d447e85a6392336
Instruction ID: 8826906e55f8888ea3c9d44e908b2b4b93e763b31e80f34013aa628894a0d339
Opcode Fuzzy Hash: 219dca6d74f5f01e876d51951d5a85646c7e832a6bf75ab04d447e85a6392336
Instruction Fuzzy Hash: F3314371365A5083EBD4AF11E86821AB3A4F749F8DF145126EA4743B58EF38C884CB44

Function 00000254A391DA00 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

SetEvent.KERNEL32 ref: 00000254A391DB49
CloseHandle.KERNEL32 ref: 00000254A391DB58
ResetEvent.KERNEL32 ref: 00000254A391DB66
VirtualFree.KERNEL32 ref: 00000254A391DB85

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSectionVirtual$Alloc$EnterRead$EventLeave$CloseFreeHandleInitializeReset
String ID:
API String ID: 4208512464-0
Opcode ID: ca07846258ba37867d244566e482efccc0d3ec0fcc94a16ac108a6f4784184ef
Instruction ID: 3752c370571d2ef8e2cff51b28c9390c2404bb29cc1d5bf1c42f7194758740aa
Opcode Fuzzy Hash: ca07846258ba37867d244566e482efccc0d3ec0fcc94a16ac108a6f4784184ef
Instruction Fuzzy Hash: A2315426365F4083E794EF62E8A8229A369FB88B89F054015DF4B43B54DF38D4D58704

Function 00000254A3902FC0 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

ceil.MSVCRT ref: 00000254A3902FF0
VirtualAlloc.KERNEL32 ref: 00000254A3903022
memcpy.NTDLL ref: 00000254A3903066
VirtualFree.KERNEL32 ref: 00000254A3903076

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocFreeceilmemcpy
String ID:
API String ID: 941304502-0
Opcode ID: b42a51ca5293a3dee87d5691d064886e3cec9dc4675c393a7935541609b8591d
Instruction ID: 94c5313779e93ab100cd947449bb8c66336d33a619445e58bcb4bb5fc7f5ebc5
Opcode Fuzzy Hash: b42a51ca5293a3dee87d5691d064886e3cec9dc4675c393a7935541609b8591d
Instruction Fuzzy Hash: AB210E32725D4087EB94EF39F864259E369E789F8CF184121FA4987748EE34C8C18744

Function 00000254A391A710 Relevance: 6.1, APIs: 4, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

CreateThread.KERNEL32 ref: 00000254A391A782
CloseHandle.KERNEL32 ref: 00000254A391A790
VirtualFree.KERNEL32 ref: 00000254A391A7AC
VirtualFree.KERNEL32 ref: 00000254A391A7D6

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeave$CloseCreateHandleInitializeThread
String ID:
API String ID: 4031785131-0
Opcode ID: 46f8680c48a87c550885bc35dd8c9f8526c11e3e393dc63d790dd5bf2b061a43
Instruction ID: 7f8b8531d484897d429571594de1e57f4cc09a3887e5aede6d9ded5216185502
Opcode Fuzzy Hash: 46f8680c48a87c550885bc35dd8c9f8526c11e3e393dc63d790dd5bf2b061a43
Instruction Fuzzy Hash: E4216062715B4083EBA4EF57A85821EE7A5FB8DFD5F448028DF8A43B14EF38C5858704

Function 00000254A3916140 Relevance: 6.1, APIs: 4, Instructions: 52threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3916188
VirtualFree.KERNEL32 ref: 00000254A39161B2
CreateThread.KERNEL32 ref: 00000254A39161CF
CloseHandle.KERNEL32 ref: 00000254A39161DD

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeave$CloseCreateHandleInitializeThread
String ID:
API String ID: 4031785131-0
Opcode ID: 9906d6a9ce0f7f254b3389b28713ac5881b4f0dc512eb4610b511277353699d5
Instruction ID: 181200379166cb96770053d25c935200368fcb5d1759d2b7a6e363ebd83899a3
Opcode Fuzzy Hash: 9906d6a9ce0f7f254b3389b28713ac5881b4f0dc512eb4610b511277353699d5
Instruction Fuzzy Hash: B6116621726F4083EBD4EF62A95821AA765BB88B89F448025DF4A43B54EF38C4A58704

Function 00000254A3925340 Relevance: 6.0, APIs: 4, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00000254A3925368
WaitForSingleObject.KERNEL32 ref: 00000254A3925389
SetEvent.KERNEL32 ref: 00000254A39253A9
SetEvent.KERNEL32 ref: 00000254A39253C0

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Event$ObjectSingleWait
String ID:
API String ID: 2127046782-0
Opcode ID: de6cca13531ef7be6a56a105a458a4c89b63c3fe75a489721cd85d5858837fa3
Instruction ID: afc7fa68c8f02839be00d3a3dc6f6d42c8fc7cf1cc41d0cf5dc7c5b943bad96d
Opcode Fuzzy Hash: de6cca13531ef7be6a56a105a458a4c89b63c3fe75a489721cd85d5858837fa3
Instruction Fuzzy Hash: C5018E22764D40C3EBE4AB66ED9951DE3E4E78CF99F081011CA094B658EE38C8C98708

Function 00000254A3912FB0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCursorInfo.USER32 ref: 00000254A3912FD5
GetCursorPos.USER32 ref: 00000254A3912FE2
GetTickCount.KERNEL32 ref: 00000254A3912FE8
OpenProcess.KERNEL32 ref: 00000254A3913011

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Cursor$CountInfoOpenProcessTick
String ID:
API String ID: 1051838312-0
Opcode ID: 367ce5d8dd7bc755535d42e0695e3db5e97519ce22b5c81c9f6c4a96f8940a8e
Instruction ID: e183f7256d22ac99f8fe83c283329278bb4a6fc1b355793ec303fca7900181d0
Opcode Fuzzy Hash: 367ce5d8dd7bc755535d42e0695e3db5e97519ce22b5c81c9f6c4a96f8940a8e
Instruction Fuzzy Hash: B6F0A472664E4183E744AF31EC29229B7A5FB98B4EF044225C64A02654FF38C9D9C744

Function 00000254A3925890 Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00000254A392589E
CancelIo.KERNEL32 ref: 00000254A39258B0
closesocket.WS2_32 ref: 00000254A39258B9
SetEvent.KERNEL32 ref: 00000254A39258CF

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CancelEventReadclosesocket
String ID:
API String ID: 2025173275-0
Opcode ID: 4ad045dac1ffec8b3e3923f420bc84c49a6e4073b63f8c3011d5d04808e9b135
Instruction ID: d4f38f9b716d49b50e2e21df1be29a966b67c73ba9bb6e50b6df2e66f457c298
Opcode Fuzzy Hash: 4ad045dac1ffec8b3e3923f420bc84c49a6e4073b63f8c3011d5d04808e9b135
Instruction Fuzzy Hash: F4E0C021362E0583FB95BFB1DC68324A798AB48F7EF1847158D354A2D4EE7888C98316

Function 00000254A3341C08 Relevance: 5.4, Strings: 4, Instructions: 387COMMON

Download Yara Rule

Strings

SleepConditionVariableCS, xrefs: 00000254A3341E8E
h-l1-2-0.dll, xrefs: 00000254A3341DEE
WakeAllConditionVariable, xrefs: 00000254A3341ECE
InitializeConditionVariable, xrefs: 00000254A3341E2E

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID:
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$h-l1-2-0.dll
API String ID: 0-1747795296
Opcode ID: 0f20d8eddffe02f4355215346de876ec0be27590aef8c60f560b2699b0830f65
Instruction ID: 924f74cb30fddc6c4e55cf9e43baf3741a99b9cef80ec7fad032b2b7b485f419
Opcode Fuzzy Hash: 0f20d8eddffe02f4355215346de876ec0be27590aef8c60f560b2699b0830f65
Instruction Fuzzy Hash: 10E1B4627A4F4482EB84BB2DD95815CA3A0F745F9EF808129DB1D577A1EF38C4E5C348

Function 00000254A33533E4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000254A3353427

Strings

o-l1-2-1, xrefs: 00000254A33534CC
gfff, xrefs: 00000254A3353549

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfff$o-l1-2-1
API String ID: 3215553584-1082851355
Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
Instruction ID: b749569b4a007d25fc1f23114267d9e33630d9bab7b8075e30aa88ef0bd2109a
Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
Instruction Fuzzy Hash: 6D516AA276CBC04AE7A29F3DDC54359EB91E344BADF489261E79447BD6EA38C0C0C704

Function 0000000180023FE4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180024027

Strings

o-l1-2-1, xrefs: 00000001800240CC
gfff, xrefs: 0000000180024149

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfff$o-l1-2-1
API String ID: 3215553584-1082851355
Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700

Function 00000254A3353830 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000254A335399E

Strings

api-ms-win-core-sysinfo-l1-2-1, xrefs: 00000254A33538D1
synch-l1-2-0, xrefs: 00000254A33538A4

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
API String ID: 3215553584-688204690
Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
Instruction ID: 46d64b3124f350e1ca7d4e0e511919064d93394bec4800cb8bc59f5eb769a1e3
Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
Instruction Fuzzy Hash: 5C41AF72768F80CDE740EF69E86479D73E5E71939DF404226EA4843B94EA38C4A5C384

Function 0000000180024430 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018002459E

Strings

synch-l1-2-0, xrefs: 00000001800244A4
api-ms-win-core-sysinfo-l1-2-1, xrefs: 00000001800244D1

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
API String ID: 3215553584-688204690
Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340

Function 00000254A334CA46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00000254A334B878: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 00000254A334B87C

__DestructExceptionObject.LIBVCRUNTIME ref: 00000254A334CA6E
__DestructExceptionObject.LIBVCRUNTIME ref: 00000254A334CAF8

Strings

csm, xrefs: 00000254A334CACB

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID: DestructExceptionObject$__vcrt_getptd_noexit
String ID: csm
API String ID: 3780691363-1018135373
Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
Instruction ID: db631016fc255ebee16df964a9dc80ad8fd675eb29ed39a1037500a64f3dc729
Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
Instruction Fuzzy Hash: 80214D36258A8087E6B0EF5AE85435EF760F788BAFF404201DE9903795DB38D8C2CB05

Function 000000018001D646 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001C478: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 000000018001C47C

__DestructExceptionObject.LIBVCRUNTIME ref: 000000018001D66E
__DestructExceptionObject.LIBVCRUNTIME ref: 000000018001D6F8

Strings

csm, xrefs: 000000018001D6CB

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: DestructExceptionObject$__vcrt_getptd_noexit
String ID: csm
API String ID: 3780691363-1018135373
Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01

Function 00000254A390A9A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetRawInputData.USER32 ref: 00000254A390A9EC

Part of subcall function 00000254A3909EC0: __chkstk.NTDLL ref: 00000254A3909ED2
Part of subcall function 00000254A3909EC0: lstrlenW.KERNEL32 ref: 00000254A3909EEB
Part of subcall function 00000254A3909EC0: memset.NTDLL ref: 00000254A3909F13
Part of subcall function 00000254A3909EC0: memset.NTDLL ref: 00000254A3909F33
Part of subcall function 00000254A3909EC0: GetForegroundWindow.USER32 ref: 00000254A3909F38
Part of subcall function 00000254A3909EC0: GetWindowTextW.USER32 ref: 00000254A3909F53
Part of subcall function 00000254A3909EC0: GetWindowThreadProcessId.USER32 ref: 00000254A3909F67
Part of subcall function 00000254A3909EC0: ProcessIdToSessionId.KERNEL32 ref: 00000254A3909F90
Part of subcall function 00000254A3909EC0: memset.NTDLL ref: 00000254A3909FA5
Part of subcall function 00000254A3909EC0: lstrlenW.KERNEL32 ref: 00000254A3909FC3
Part of subcall function 00000254A3909EC0: GetLocalTime.KERNEL32 ref: 00000254A3909FD6
Part of subcall function 00000254A3909EC0: wsprintfW.USER32 ref: 00000254A390A03E
Part of subcall function 00000254A3909EC0: lstrlenW.KERNEL32 ref: 00000254A390A04B
Part of subcall function 00000254A3909EC0: lstrlenA.KERNEL32 ref: 00000254A390A091
Part of subcall function 00000254A3909EC0: MultiByteToWideChar.KERNEL32 ref: 00000254A390A0AA

DefWindowProcW.USER32 ref: 00000254A390AA2A

Strings

0, xrefs: 00000254A390A9CF

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Windowlstrlen$memset$Process$ByteCharDataForegroundInputLocalMultiProcSessionTextThreadTimeWide__chkstkwsprintf
String ID: 0
API String ID: 780575994-4108050209
Opcode ID: 8004b3049ace1bb0400474f1a69768e4362440f1312b9a8d3f505a6f2555652d
Instruction ID: 9243ff8e5fccb54467b372909dadef96e0cdf4f2c2f94a9e1eaa5b329b9495b6
Opcode Fuzzy Hash: 8004b3049ace1bb0400474f1a69768e4362440f1312b9a8d3f505a6f2555652d
Instruction Fuzzy Hash: A701D631674A8183F6909B15ED1839AF69CF795BEDF144120EA8013BD9DB3CC5C4CB44

Function 00000254A39465E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00000254A394660E
WSAGetLastError.WS2_32 ref: 00000254A3946618

Strings

getpeername: %s, xrefs: 00000254A3946628

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorLastgetpeername
String ID: getpeername: %s
API String ID: 2962421750-464625284
Opcode ID: a69c3c67f136694d744e90525e7a2b9d8621fa00472cafbfdea3fe4c2253d187
Instruction ID: 3315a10fd9c35da849816181fa05c96a58dda6f458f4798e576cc2a0ff996f71
Opcode Fuzzy Hash: a69c3c67f136694d744e90525e7a2b9d8621fa00472cafbfdea3fe4c2253d187
Instruction Fuzzy Hash: E4F06D66364B4083EA80AB15F9592DAE768A789BCDF444121EE4D47B5AEF38C1C48B04

Function 00000254A3930900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00000254A3930918
WSAGetLastError.WS2_32 ref: 00000254A3930929

Strings

ioctlsocket FIONBIO 1 failed with error %d, xrefs: 00000254A393092F

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: ErrorLastioctlsocket
String ID: ioctlsocket FIONBIO 1 failed with error %d
API String ID: 1021210092-1910823214
Opcode ID: 5437741f9e197df0456073593f822ef657802a2ced6ff6b5c6ff5a60d5650b15
Instruction ID: 9c491132acb7b49607c3c178d0a14a25e98150488b9a675d3509586bc9aa7eba
Opcode Fuzzy Hash: 5437741f9e197df0456073593f822ef657802a2ced6ff6b5c6ff5a60d5650b15
Instruction Fuzzy Hash: 3EE04FA07B5A0293F7806BF19CA93C6AA58974C36EF4410289902466B0EF7DD8DD8B19

Function 00000254A3349D72 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000254A3349D9B

Strings

nt delete closure', xrefs: 00000254A3349DA0
`vector destructor iterator', xrefs: 00000254A3349D80

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: `vector destructor iterator'$nt delete closure'
API String ID: 592178966-1611991873
Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
Instruction ID: 5b738856b9ff287e2c6b6e4a841630ecf92c0224ba10497305f73b9eec7e1930
Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
Instruction Fuzzy Hash: F4E04F72254F0095DF059F59F8641D8B3A4EB4CB59B4880229A5C47350EB38C5E9C304

Function 000000018001A972 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000000018001A99B

Strings

nt delete closure', xrefs: 000000018001A9A0
`vector destructor iterator', xrefs: 000000018001A980

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: `vector destructor iterator'$nt delete closure'
API String ID: 592178966-1611991873
Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301

Function 00000254A3349E4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00000254A3349E55
_CxxThrowException.LIBVCRUNTIME ref: 00000254A3349E66

Strings

File, xrefs: 00000254A3349E5A

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID: File
API String ID: 932687459-749574446
Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
Instruction ID: 79f41258dfddd3ea3e4e969c354942cd47d6227d2cdda0284a2e50228a26f1f9
Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
Instruction Fuzzy Hash: 22C08C22278C81D2DE60FB4ADCB91C99331F79430EF900001A29D018B6BB38C289CB04

Function 000000018001AA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 000000018001AA55
_CxxThrowException.LIBVCRUNTIME ref: 000000018001AA66

Strings

File, xrefs: 000000018001AA5A

Memory Dump Source

Source File: 00000003.00000002.3261590927.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.3261486935.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262098908.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262200437.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3262320704.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_svchost.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID: File
API String ID: 932687459-749574446
Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00

Function 00000254A390C6E0 Relevance: 5.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034EB
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39034FD
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903510
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903527
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903556
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903568
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390357B
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903592
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035C1
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39035D3
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035E6
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39035FD
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390362C
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A390363E
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903654

VirtualFree.KERNEL32 ref: 00000254A390C7B5
VirtualFree.KERNEL32 ref: 00000254A390C7DF
VirtualFree.KERNEL32 ref: 00000254A390C7F5
VirtualFree.KERNEL32 ref: 00000254A390C81F

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$Initialize
String ID:
API String ID: 3420869360-0
Opcode ID: 617031c2d221066431aaff11be6c94ed0690b72a67014eff584da1fe74eb40db
Instruction ID: d05662c1ea1c986566a8817ded262a3a8d70882c59639ac0ea17bc0b2e317ba4
Opcode Fuzzy Hash: 617031c2d221066431aaff11be6c94ed0690b72a67014eff584da1fe74eb40db
Instruction Fuzzy Hash: E2416032726B4087EBA4DF62E85851AB7A9FB89F85F148414DF8A03B14EF39C485CB04

Function 00000254A3923A40 Relevance: 5.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3923B10
VirtualFree.KERNEL32 ref: 00000254A3923B3A
VirtualFree.KERNEL32 ref: 00000254A3923B50
VirtualFree.KERNEL32 ref: 00000254A3923B7A

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initialize
String ID:
API String ID: 696443088-0
Opcode ID: c9680d75c501e4054c7710036f39944100f54ecf03344763eed7e87a999867f9
Instruction ID: 891a129c276441b7d0f62bd9686d8614cc23aa82d0d39705efce788ae984c88d
Opcode Fuzzy Hash: c9680d75c501e4054c7710036f39944100f54ecf03344763eed7e87a999867f9
Instruction Fuzzy Hash: 43418432726F4082D794DF53E858A1AB7A9FB89FC5F458115EE9A03704EF39C585CB04

Function 00000254A39181A0 Relevance: 5.1, APIs: 4, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A3918213

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3918258
VirtualFree.KERNEL32 ref: 00000254A391828E
VirtualFree.KERNEL32 ref: 00000254A391829F

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: 1d1b306bf3c46ccf6e7229351797aac4dc12f87dd746d871babab7f5bc255a71
Instruction ID: 52bc5b7362e32ee55b59720b8f2e09ec9b30e267cfaff1d18fe3742011121ca8
Opcode Fuzzy Hash: 1d1b306bf3c46ccf6e7229351797aac4dc12f87dd746d871babab7f5bc255a71
Instruction Fuzzy Hash: 9D316F21766E4083FBD5AB62E968319E3A4BB48FDDF084524CE1A47B84FF38C8D58705

Function 00000254A3911210 Relevance: 5.1, APIs: 4, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A3911274

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A39112B9
VirtualFree.KERNEL32 ref: 00000254A39112EF
VirtualFree.KERNEL32 ref: 00000254A3911300

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: 5944f9928c617558d6447f66ff93bef18e990b1e2edeae30f48a59bf0b4b3e49
Instruction ID: d37e472dfe6b0f6c8b3a2a24d6bfb8a91d061ed591ee3c19c40c3fe45e4cd216
Opcode Fuzzy Hash: 5944f9928c617558d6447f66ff93bef18e990b1e2edeae30f48a59bf0b4b3e49
Instruction Fuzzy Hash: BD314321366E4083EBD4AF27E96831DA795AB49FCEF084524DE1A47B58FF38C8958704

Function 00000254A390B170 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A390B1D4

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A390B219
VirtualFree.KERNEL32 ref: 00000254A390B24F
VirtualFree.KERNEL32 ref: 00000254A390B260

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: 6a0dbe3a0a406c02cb2e4d729dffdfe30f5f50d64f32219fd7338cec30936ee1
Instruction ID: a1c057df84c7e4264238ff2e6c9b3b903d1cc53c4dc847374ea632abc5ae8811
Opcode Fuzzy Hash: 6a0dbe3a0a406c02cb2e4d729dffdfe30f5f50d64f32219fd7338cec30936ee1
Instruction Fuzzy Hash: 8E318021365E4083FB94AF66E96831DA3A5EB89FCDF084124DE0A47B98FF38C4D58744

Function 00000254A390C150 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A390C1B4

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A390C1F9
VirtualFree.KERNEL32 ref: 00000254A390C22F
VirtualFree.KERNEL32 ref: 00000254A390C240

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: 62c558665775160bff6bd4cbced2f3b4a28216fdecb6bb590b6097234b34c5f5
Instruction ID: 907f852b6a7d93a1d0a23394025fc0f780a30b95ff08824992b0b371192f5801
Opcode Fuzzy Hash: 62c558665775160bff6bd4cbced2f3b4a28216fdecb6bb590b6097234b34c5f5
Instruction Fuzzy Hash: 7E318621361E4082FBD4AF66E968319A3A5EB49FDDF084024CE0A47B58FF38C4C58744

Function 00000254A391D8D0 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A391D93A

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A391D97F
VirtualFree.KERNEL32 ref: 00000254A391D9B5
VirtualFree.KERNEL32 ref: 00000254A391D9C6

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: ec5b1167f005ac1d8a69da9b77871cfdf6301f2a7abf43893b2e18070580acd4
Instruction ID: a459f3be3343721fefdc1c1f9be197611333250f7132044dd80725a80fb5fcf4
Opcode Fuzzy Hash: ec5b1167f005ac1d8a69da9b77871cfdf6301f2a7abf43893b2e18070580acd4
Instruction Fuzzy Hash: DC318421362E4082EBD4AF23E968729A795BB49FDDF084024CE0A47B84FF38C8958704

Function 00000254A3923030 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A3923094

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A39230D9
VirtualFree.KERNEL32 ref: 00000254A392310F
VirtualFree.KERNEL32 ref: 00000254A3923120

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: b8f4db6db1d0367102d5a07de2158188bc80ba2991919440e33211faedfcd802
Instruction ID: c14c3edfb5437bc14dfbfe92e6c99fced2ff529f95c0fcf0b4b6899bd2cc6100
Opcode Fuzzy Hash: b8f4db6db1d0367102d5a07de2158188bc80ba2991919440e33211faedfcd802
Instruction Fuzzy Hash: 4D315421365E4082EBD4EF67E968319A799AB48FDDF084124DE0A47B48FF38C4958704

Function 00000254A3916FA0 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A3917004

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3917049
VirtualFree.KERNEL32 ref: 00000254A391707F
VirtualFree.KERNEL32 ref: 00000254A3917090

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: 68638a45072214ee0e893a58682f264645d2bfca7efd773f1cf6502fd29ef5f2
Instruction ID: 09402c8fc42ce56ddbef5a2519fa0aef21dcadb9e42325f4f4dadbae20d84170
Opcode Fuzzy Hash: 68638a45072214ee0e893a58682f264645d2bfca7efd773f1cf6502fd29ef5f2
Instruction Fuzzy Hash: 7E316421362E4183EBD4AF26E968319A7A5FB4CFDDF084124DE4A47B48FF39C8958704

Function 00000254A3921EA0 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000254A3921F04

Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903347
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390338F
Part of subcall function 00000254A3903330: InitializeCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033A3
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A39033BC
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033CF
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39033E6
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903415
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903427
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A390343A
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903451
Part of subcall function 00000254A3903330: LeaveCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A3903480
Part of subcall function 00000254A3903330: IsBadReadPtr.KERNEL32 ref: 00000254A3903492
Part of subcall function 00000254A3903330: EnterCriticalSection.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034A5
Part of subcall function 00000254A3903330: VirtualAlloc.KERNEL32(?,?,?,00000254A3902014), ref: 00000254A39034BC

VirtualFree.KERNEL32 ref: 00000254A3921F49
VirtualFree.KERNEL32 ref: 00000254A3921F7F
VirtualFree.KERNEL32 ref: 00000254A3921F90

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
String ID:
API String ID: 1953590826-0
Opcode ID: f4df4a3ac5e6fb09ea1b5c184ea8ce42575441d447ce80640701a34ba3f7fd77
Instruction ID: 2058429dcbbc0a4d39c356c0505f83832f34555aa727364307638d814bbda7e1
Opcode Fuzzy Hash: f4df4a3ac5e6fb09ea1b5c184ea8ce42575441d447ce80640701a34ba3f7fd77
Instruction Fuzzy Hash: 63318421361E4083EBD4EF62E968359A395EB48FDDF084124DE1A47B59FF38C4958744

Function 00000254A3348974 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

deleting destructor', xrefs: 00000254A3348A00
ctor closure', xrefs: 00000254A33489DB
`vector constructor iterator', xrefs: 00000254A3348A25
deleting destructor', xrefs: 00000254A334899A

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID:
String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
API String ID: 0-4293706295
Opcode ID: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
Instruction ID: f69630e2078579cbd478a6397b096ccb9c92713262dc92f8db5a815ab29da7de
Opcode Fuzzy Hash: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
Instruction Fuzzy Hash: 4E21D8616AAF0189FEC4BF59AC6C754A3A0AB48B4FF484428C85A07364FF7DC1C9C309

Function 00000254A3348874 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

deleting destructor', xrefs: 00000254A3348900
ctor closure', xrefs: 00000254A33488DB
`vector constructor iterator', xrefs: 00000254A3348925
deleting destructor', xrefs: 00000254A334889A

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID:
String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
API String ID: 0-4293706295
Opcode ID: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
Instruction ID: c0cf42ef41d48db58bf3e2e4855ebbc6884eede43f60408b27bc7e5c53eaa0e6
Opcode Fuzzy Hash: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
Instruction Fuzzy Hash: 2721D6606AAF0189FEC4BF59AC6C754A3A0AB49B5FF484428C85A07360FF7DC0C8C309

Function 00000254A3348774 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

deleting destructor', xrefs: 00000254A3348800
ctor closure', xrefs: 00000254A33487DB
`vector constructor iterator', xrefs: 00000254A3348825
deleting destructor', xrefs: 00000254A334879A

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID:
String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
API String ID: 0-4293706295
Opcode ID: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
Instruction ID: 4fd522d15ecb322b7fe739ffdad62c705632f6a434cd22ee66c735f64690f5f2
Opcode Fuzzy Hash: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
Instruction Fuzzy Hash: FA21C5606AAF0589FE84BF59AC7C754A7A0AB48B5FF484428C85A07360FF7DC0C8C349

Function 00000254A3348674 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

deleting destructor', xrefs: 00000254A3348700
ctor closure', xrefs: 00000254A33486DB
`vector constructor iterator', xrefs: 00000254A3348725
deleting destructor', xrefs: 00000254A334869A

Memory Dump Source

Source File: 00000003.00000002.3270218975.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true

Associated: 00000003.00000002.3270363917.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270388681.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd

Similarity

API ID:
String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
API String ID: 0-4293706295
Opcode ID: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
Instruction ID: a787eb7acb7e5a9edf36d486199a3b79d99642e3bddff8dff24af1d7c71cdf26
Opcode Fuzzy Hash: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
Instruction Fuzzy Hash: 3621C6646AAF0189FEC4BF59AD7C754A7A0AB48B5FF484428D85A07360FF7D80C8D319

Function 00000254A3906BC0 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00000254A3906BE3
EnterCriticalSection.KERNEL32(?,?,00000038,00000254A39071A6), ref: 00000254A3906BFE
LeaveCriticalSection.KERNEL32(?,?,00000038,00000254A39071A6), ref: 00000254A3906C21
LeaveCriticalSection.KERNEL32(?,?,00000038,00000254A39071A6), ref: 00000254A3906C41

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$Leave$EnterRead
String ID:
API String ID: 2917996470-0
Opcode ID: 6195ae99069b8bbc5e0251264d858f2dafa8f2920a2e3fbeb294cc83daa5f249
Instruction ID: 4e2858e73a4167ef09d8a49adec2dcceb69c5de05db872252c650575a3d626d8
Opcode Fuzzy Hash: 6195ae99069b8bbc5e0251264d858f2dafa8f2920a2e3fbeb294cc83daa5f249
Instruction Fuzzy Hash: 96114C22365E5087EBD4AF12E868269A7A8EB49FCDF4D5420DF4A47744EF38C8D18704

Function 00000254A3924840 Relevance: 5.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000254A3924878
LeaveCriticalSection.KERNEL32 ref: 00000254A392488F
EnterCriticalSection.KERNEL32 ref: 00000254A39248AA
LeaveCriticalSection.KERNEL32 ref: 00000254A39248C7

Memory Dump Source

Source File: 00000003.00000002.3270730325.00000254A38F1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000254A38F0000, based on PE: true

Associated: 00000003.00000002.3270705853.00000254A38F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270774738.00000254A3958000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270802191.00000254A396C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3270827182.00000254A3972000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_254a38f0000_svchost.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7d424a39128fc79d423e685d07f3b0557c8311698411645ac54d4061eb6ffd6c
Instruction ID: 1fb01edb44299fa381d92e2ae80536af2e6c6bb17353ec516a8927abcf776622
Opcode Fuzzy Hash: 7d424a39128fc79d423e685d07f3b0557c8311698411645ac54d4061eb6ffd6c
Instruction Fuzzy Hash: 5B119E21724F80C7D694EF62AD68259A729FB48FCDF480021EE461BB54DF38C4D98304

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report png131.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Windows Mail\arphaCrashReport64.exe

C:\Program Files\Windows Mail\arphaDump64.bin

C:\Program Files\Windows Mail\arphaDump64.dll

C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftEdgeUpdate

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
png131.exe

Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211
servicestringCOMMON

Function 00000001800080F2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
memorynativeinjectionCOMMON

Function 0000000180009BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
memoryCOMMON

Function 0000000180005824 Relevance: 3.0, APIs: 2, Instructions: 40
nativeCOMMON

Function 00000001800054D5 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
COMMON

Function 000000018000AD3E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
memoryCOMMON

Function 000000018000A9BE Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Function 0000000180008E30 Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Function 0000000180005A0D Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Function 000000018000AF22 Relevance: 1.5, APIs: 1, Instructions: 31
injectionCOMMON

Function 000000018000A8B2 Relevance: 1.5, APIs: 1, Instructions: 30
injectionCOMMON

Function 000000018000B100 Relevance: 1.5, APIs: 1, Instructions: 30
injectionCOMMON

Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317
filesleepmemoryCOMMON

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre